Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report LI180_win-1.5.1.exe

Overview

General Information

Sample Name:LI180_win-1.5.1.exe
Analysis ID:358582
MD5:77d64242fbd270b5363d383b51075783
SHA1:4c23d1f71ff19b5c046d8b1d750104a386f184f9
SHA256:a48f199141b10a4d425fd128ac0bdfca75ec98741a3eacff11a67a3bbc4bde01
Infos:

Most interesting Screenshot:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

May use the Tor software to hide its network traffic
Sample is not signed and drops a device driver
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to detect Joe Sandbox
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample searches for specific file, try point organization specific fake files to the analysis machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Startup

  • System is w10x64
  • LI180_win-1.5.1.exe (PID: 6472 cmdline: 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' -install MD5: 77D64242FBD270B5363D383B51075783)
    • LI-180_Installer.exe (PID: 6704 cmdline: .\LI-180_Installer.exe -install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k='' MD5: A94344CD648287F3BC40B538AF42190B)
      • x64DPInst.exe (PID: 6588 cmdline: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F MD5: BE3C79033FA8302002D9D3A6752F2263)
      • x86DPInst.exe (PID: 4280 cmdline: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F MD5: 30A0AFEE4AEA59772DB6434F1C0511AB)
  • LI180_win-1.5.1.exe (PID: 6660 cmdline: 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /install MD5: 77D64242FBD270B5363D383B51075783)
    • LI-180_Installer.exe (PID: 7000 cmdline: .\LI-180_Installer.exe /install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k='' MD5: A94344CD648287F3BC40B538AF42190B)
      • x64DPInst.exe (PID: 1936 cmdline: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F MD5: BE3C79033FA8302002D9D3A6752F2263)
      • x86DPInst.exe (PID: 6644 cmdline: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F MD5: 30A0AFEE4AEA59772DB6434F1C0511AB)
  • LI180_win-1.5.1.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /load MD5: 77D64242FBD270B5363D383B51075783)
    • LI-180_Installer.exe (PID: 5740 cmdline: .\LI-180_Installer.exe /load /m='C:\Users\user\Desktop\LI180_~1.EXE' /k='' MD5: A94344CD648287F3BC40B538AF42190B)
      • x64DPInst.exe (PID: 5156 cmdline: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F MD5: BE3C79033FA8302002D9D3A6752F2263)
      • x86DPInst.exe (PID: 5944 cmdline: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F MD5: 30A0AFEE4AEA59772DB6434F1C0511AB)
  • msiexec.exe (PID: 4856 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 71E95B410ABC515A6ABA0566A4073125 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • drvinst.exe (PID: 6048 cmdline: DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001BC' 'WinSta0\Default' '00000000000001C0' '208' 'c:\progra~2\li-180~1\driver' MD5: 46F5A16FA391AB6EA97C602B4D2E7819)
  • msiexec.exe (PID: 1844 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CCF296E1DF7FA7E357D3B10A86C0BEB2 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 6320 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FCA266DDB967C0E28D252C5FC68B1467 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          dropped/LI-180_Installer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            Click to see the 4 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000005.00000000.220729543.0000000000401000.00000020.00020000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                00000007.00000000.240817220.0000000000401000.00000020.00020000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                  00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    00000009.00000000.257055940.0000000000401000.00000020.00020000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                      Click to see the 2 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      9.0.LI-180_Installer.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                        6.3.LI180_win-1.5.1.exe.4a26f2d.2.raw.unpackwcewceBenjamin DELPY (gentilkiwi)
                        • 0xea119:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                        • 0xed309:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                        • 0x233c0c:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                        • 0x237a44:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                        6.3.LI180_win-1.5.1.exe.4a6de91.1.raw.unpackwcewceBenjamin DELPY (gentilkiwi)
                        • 0xa31b5:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                        • 0xa63a5:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                        • 0x1ecca8:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                        • 0x1f0ae0:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                        7.0.LI-180_Installer.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                          6.3.LI180_win-1.5.1.exe.49efe49.0.raw.unpackwcewceBenjamin DELPY (gentilkiwi)
                          • 0x1211fd:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                          • 0x1243ed:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                          • 0x26acf0:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                          • 0x26eb28:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
                          Click to see the 4 entries

                          Sigma Overview

                          No Sigma rule has matched

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results
                          Source: 6.3.LI180_win-1.5.1.exe.524107f.7.unpackAvira: Label: TR/Patched.Ren.Gen

                          Compliance:

                          barindex
                          Uses 32bit PE filesShow sources
                          Source: LI180_win-1.5.1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                          Creates license or readme fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia1\license.rtfJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia2\license.rtfJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia3\license.rtf
                          Binary contains paths to debug symbolsShow sources
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: DpInst.pdbH source: LI180_win-1.5.1.exe, 00000006.00000003.250489597.0000000004DF2000.00000004.00000001.sdmp
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: DpInst.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp
                          Source: Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: DpInst.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,0_2_00409263
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,3_2_00409263
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_0040C9F8 FindFirstFileW,FindClose,5_2_0040C9F8
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00424B48 FindFirstFileW,GetLastError,5_2_00424B48
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,5_2_007942A8
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,5_2_0040C434
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00424548 FindFirstFileW,FindClose,5_2_00424548
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,5_2_00596518
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00424764 FindFirstFileW,FindClose,5_2_00424764
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00794720 FindFirstFileW,FindClose,5_2_00794720
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,5_2_00794724
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_0040C9F8 FindFirstFileW,FindClose,7_2_0040C9F8
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00424B48 FindFirstFileW,GetLastError,7_2_00424B48
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,7_2_007942A8
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,7_2_0040C434
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00424548 FindFirstFileW,FindClose,7_2_00424548
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,7_2_00596518
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00424764 FindFirstFileW,FindClose,7_2_00424764
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00794720 FindFirstFileW,FindClose,7_2_00794720
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,7_2_00794724
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_0040C9F8 FindFirstFileW,FindClose,9_2_0040C9F8
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00424B48 FindFirstFileW,GetLastError,9_2_00424B48
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,9_2_007942A8
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,9_2_0040C434
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00424548 FindFirstFileW,FindClose,9_2_00424548
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,9_2_00596518
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00424764 FindFirstFileW,FindClose,9_2_00424764
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00794720 FindFirstFileW,FindClose,9_2_00794720
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,9_2_00794724
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW,5_2_00422390
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                          Source: LI-180_Installer.exeString found in binary or memory: http://standards.iso.org/iso/19770/-2/2008/schema.xsd
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://support.steema.com
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zip
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zipM_VER_LAUNCH_INSTALLER_AFTER_DOWNLOAD
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://support.uprtek.com/DB/uploads/SW/versions.asp?section=
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://support.uprtek.com/DB/uploads/SW/versions.asp?section=&keyword=00SOFTWARE_PCUSPECTRUMLI-180
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/http://ascendercorp.com/eula10.html
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://www.indyproject.org/
                          Source: LI180_win-1.5.1.exeString found in binary or memory: http://www.installaware.com
                          Source: LI-180_Installer.exeString found in binary or memory: http://www.installaware.com/
                          Source: LI180_win-1.5.1.exe, 00000000.00000000.207294394.0000000000446000.00000002.00020000.sdmp, LI180_win-1.5.1.exe, 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000000.229057375.0000000000446000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmpString found in binary or memory: http://www.installaware.comz
                          Source: LI-180_Installer.exe, 00000005.00000003.363557816.00000000028E4000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.435540527.0000000002A04000.00000004.00000001.sdmpString found in binary or memory: http://www.licor.com
                          Source: LI-180_Installer.exe, 00000005.00000003.363557816.00000000028E4000.00000004.00000001.sdmpString found in binary or memory: http://www.licor.com1g
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://www.licor.comAbacusPosAP
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://www.licor.comPut
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.246440181.00000000041E8000.00000004.00000001.sdmpString found in binary or memory: http://www.quickreport.co.uk
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://www.steema.com/exceptions/add.php?ide=
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.246598775.0000000004253000.00000004.00000001.sdmpString found in binary or memory: http://www.uprtek.com
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmpString found in binary or memory: https://www.licor.com/
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.catJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.catJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeFile created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\SET2959.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.catJump to dropped file
                          Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SET2CF3.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sysJump to behavior
                          Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Windows\Fonts\mdd_0.ttfJump to behavior
                          Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SET2CF3.tmp
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_004150600_2_00415060
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0040D0E10_2_0040D0E1
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_004161350_2_00416135
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0041A3D80_2_0041A3D8
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_004155350_2_00415535
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0040D67F0_2_0040D67F
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0040F9490_2_0040F949
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_004159090_2_00415909
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0040CA770_2_0040CA77
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0040CB180_2_0040CB18
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0040CCB90_2_0040CCB9
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_00415D150_2_00415D15
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0040EE500_2_0040EE50
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_004150603_2_00415060
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0040D0E13_2_0040D0E1
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_004161353_2_00416135
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0041A3D83_2_0041A3D8
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_004155353_2_00415535
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0040D67F3_2_0040D67F
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0040F9493_2_0040F949
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_004159093_2_00415909
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0040CA773_2_0040CA77
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0040CB183_2_0040CB18
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0040CCB93_2_0040CCB9
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_00415D153_2_00415D15
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0040EE503_2_0040EE50
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006A61326_2_006A6132
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006A36F96_2_006A36F9
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006A63946_2_006A6394
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: String function: 00417B6C appears 72 times
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: String function: 00408BFB appears 78 times
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: String function: 00419DCD appears 40 times
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: String function: 0040110F appears 42 times
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: String function: 00416B21 appears 328 times
                          Source: LI180_win-1.5.1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z6C81.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z.dll.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7z9094.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7zAEDA.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: LI180_win-1.5.1.exe, 00000000.00000002.373951660.0000000006290000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exed" vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exe vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exe|. vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exex, vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exep( vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exev+ vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exel& vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exef# vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDPInst.exe~/ vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250931265.000000000510A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSiUSBXp.dll^ vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstall Fonts EXE-PlugIn.dllb vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSiLib.sys: vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSiUSBXp.sys4 vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmpBinary or memory string: OriginalFilename7za.dll, vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameahadmin_wrapper.dll4 vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameahadmin_.dll4 vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGameuxInstallHelper.DLLb! vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagedVCL.Utils.dll8 vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegacutil.exeT vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegacutlrc.dllT vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamez vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDriverUninstaller.EXE\ vs LI180_win-1.5.1.exe
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.250472439.0000000004DC3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDriverInstaller.EXEX vs LI180_win-1.5.1.exe
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeSection loaded: tsappcmp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeSection loaded: tsappcmp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeSection loaded: tsappcmp.dll
                          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                          Source: LI180_win-1.5.1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                          Source: 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
                          Source: 6.3.LI180_win-1.5.1.exe.4a26f2d.2.raw.unpack, type: UNPACKEDPEMatched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
                          Source: 6.3.LI180_win-1.5.1.exe.4a6de91.1.raw.unpack, type: UNPACKEDPEMatched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
                          Source: 6.3.LI180_win-1.5.1.exe.49efe49.0.raw.unpack, type: UNPACKEDPEMatched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
                          Source: classification engineClassification label: sus24.evad.winEXE@25/329@0/0
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_00413849 GetVersion,CoCreateInstance,0_2_00413849
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_004580E4 FindResourceW,LoadResource,SizeofResource,LockResource,5_2_004580E4
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\IIIJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmpJump to behavior
                          Source: Yara matchFile source: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.220729543.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.240817220.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000000.257055940.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe, type: DROPPED
                          Source: Yara matchFile source: dropped/LI-180_Installer.exe, type: DROPPED
                          Source: Yara matchFile source: dropped/LI-180_Installer.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
                          Source: Yara matchFile source: 9.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: X~H0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "-k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "-k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "/k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "/k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: -k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: -k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: /k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: /k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "/k=0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: ;!@InstallEnd@!0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: BB0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: Title0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: Directory0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: RunProgram0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: ExecuteFile0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: setup.exe0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: %%T0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: %%T\0_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "-k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "-k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "/k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "/k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: -k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: -k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: /k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: /k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: "/k=3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: ;!@InstallEnd@!3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: BB3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: Title3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: Directory3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: RunProgram3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: ExecuteFile3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: setup.exe3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: %%T3_2_00413F63
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCommand line argument: %%T\3_2_00413F63
                          Source: LI180_win-1.5.1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile read: C:\Users\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                          Source: LI-180_Installer.exeString found in binary or memory: <!--StartFragment-->
                          Source: LI-180_Installer.exeString found in binary or memory: Start/Stop Count
                          Source: LI-180_Installer.exeString found in binary or memory: Start/Stop Count
                          Source: LI-180_Installer.exeString found in binary or memory: NATS-SEFI-ADD
                          Source: LI-180_Installer.exeString found in binary or memory: NATS-DANO-ADD
                          Source: LI-180_Installer.exeString found in binary or memory: JIS_C6229-1984-b-add
                          Source: LI-180_Installer.exeString found in binary or memory: jp-ocr-b-add
                          Source: LI-180_Installer.exeString found in binary or memory: JIS_C6229-1984-hand-add
                          Source: LI-180_Installer.exeString found in binary or memory: jp-ocr-hand-add
                          Source: LI-180_Installer.exeString found in binary or memory: ISO_6937-2-add
                          Source: LI-180_Installer.exeString found in binary or memory: </InstallAware>
                          Source: LI-180_Installer.exeString found in binary or memory: <!--StartFragment-->
                          Source: LI-180_Installer.exeString found in binary or memory: Start/Stop Count
                          Source: LI-180_Installer.exeString found in binary or memory: Start/Stop Count
                          Source: LI-180_Installer.exeString found in binary or memory: NATS-SEFI-ADD
                          Source: LI-180_Installer.exeString found in binary or memory: NATS-DANO-ADD
                          Source: LI-180_Installer.exeString found in binary or memory: JIS_C6229-1984-b-add
                          Source: LI-180_Installer.exeString found in binary or memory: jp-ocr-b-add
                          Source: LI-180_Installer.exeString found in binary or memory: JIS_C6229-1984-hand-add
                          Source: LI-180_Installer.exeString found in binary or memory: jp-ocr-hand-add
                          Source: LI-180_Installer.exeString found in binary or memory: ISO_6937-2-add
                          Source: LI-180_Installer.exeString found in binary or memory: </InstallAware>
                          Source: LI-180_Installer.exeString found in binary or memory: <!--StartFragment-->
                          Source: LI-180_Installer.exeString found in binary or memory: Start/Stop Count
                          Source: LI-180_Installer.exeString found in binary or memory: Start/Stop Count
                          Source: LI-180_Installer.exeString found in binary or memory: NATS-SEFI-ADD
                          Source: LI-180_Installer.exeString found in binary or memory: NATS-DANO-ADD
                          Source: LI-180_Installer.exeString found in binary or memory: JIS_C6229-1984-b-add
                          Source: LI-180_Installer.exeString found in binary or memory: jp-ocr-b-add
                          Source: LI-180_Installer.exeString found in binary or memory: JIS_C6229-1984-hand-add
                          Source: LI-180_Installer.exeString found in binary or memory: jp-ocr-hand-add
                          Source: LI-180_Installer.exeString found in binary or memory: ISO_6937-2-add
                          Source: LI-180_Installer.exeString found in binary or memory: </InstallAware>
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile read: C:\Users\user\Desktop\LI180_win-1.5.1.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' -install
                          Source: unknownProcess created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /install
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe .\LI-180_Installer.exe -install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
                          Source: unknownProcess created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /load
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /load /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
                          Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 71E95B410ABC515A6ABA0566A4073125
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                          Source: unknownProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001BC' 'WinSta0\Default' '00000000000001C0' '208' 'c:\progra~2\li-180~1\driver'
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                          Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CCF296E1DF7FA7E357D3B10A86C0BEB2
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                          Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCA266DDB967C0E28D252C5FC68B1467
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe .\LI-180_Installer.exe -install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''Jump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /FJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /FJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /load /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /FJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /FJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile written: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeWindow found: window name: TButtonJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeAutomated click: I accept the terms of the license agreement
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeAutomated click: I accept the terms of the license agreement
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: I accept the terms of the license agreement
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: I accept the terms of the license agreement
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: I accept the terms of the license agreement
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: I accept the terms of the license agreement
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeAutomated click: I accept the terms of the license agreement
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeAutomated click: I accept the terms of the license agreement
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeAutomated click: Next >
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: LI180_win-1.5.1.exeStatic file information: File size 10630347 > 1048576
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: DpInst.pdbH source: LI180_win-1.5.1.exe, 00000006.00000003.250489597.0000000004DF2000.00000004.00000001.sdmp
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
                          Source: Binary string: DpInst.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp
                          Source: Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
                          Source: Binary string: DpInst.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0041C3CC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0041C3CC
                          Source: 7z6C81.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0xe8565
                          Source: 7z.dll.5.drStatic PE information: real checksum: 0x0 should be: 0xe8565
                          Source: 7z9094.tmp.7.drStatic PE information: real checksum: 0x0 should be: 0xe8565
                          Source: 7zAEDA.tmp.9.drStatic PE information: real checksum: 0x0 should be: 0xe8565
                          Source: LI180_win-1.5.1.exeStatic PE information: real checksum: 0x4db7e should be:
                          Source: 7z6C81.tmp.5.drStatic PE information: section name: .sxdata
                          Source: 7z.dll.5.drStatic PE information: section name: .sxdata
                          Source: 7z9094.tmp.7.drStatic PE information: section name: .sxdata
                          Source: 7zAEDA.tmp.9.drStatic PE information: section name: .sxdata
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_00416BF9 push ecx; ret 0_2_00416C0C
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_00417BB1 push ecx; ret 0_2_00417BC4
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_00416BF9 push ecx; ret 3_2_00416C0C
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_00417BB1 push ecx; ret 3_2_00417BC4
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_0076889C push 00768B24h; ret 5_2_00768B1C
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_0076839C push 007686BAh; ret 5_2_007686B2
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_0045116C push ecx; mov dword ptr [esp], edx5_2_00451171
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006A407C push es; retf 0000h6_2_006A4096
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006A404D push es; ret 6_2_006A404E
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006A8C38 push ecx; retf 6_2_006A8CC2
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006AE408 pushfd ; retn 0000h6_2_006AE409
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006B14B8 push esp; retf 6_2_006B14B9
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006A409B push es; retf 6_2_006A409E
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006AEAC4 push eax; ret 6_2_006AEAC5
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 6_2_006B136C push ds; retf 6_2_006B1371
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_0076889C push 00768B24h; ret 7_2_00768B1C
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_0076839C push 007686BAh; ret 7_2_007686B2
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_0045116C push ecx; mov dword ptr [esp], edx7_2_00451171
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_0076889C push 00768B24h; ret 9_2_00768B1C
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_0076839C push 007686BAh; ret 9_2_007686B2
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_0045116C push ecx; mov dword ptr [esp], edx9_2_00451171

                          Persistence and Installation Behavior:

                          barindex
                          Sample is not signed and drops a device driverShow sources
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sysJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sysJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeFile created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET298B.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\7zAEDA.tmpJump to dropped file
                          Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmpJump to dropped file
                          Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.libJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia2\mDIFxEXE.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\7z6C81.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sysJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia1\mDIFxEXE.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\III\7z.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\mia.libJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\mia.libJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeFile created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET295B.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia3\mDIFxEXE.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sysJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\mia.libJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia3\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sysJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia3\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia2\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\7z9094.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\IAW4D1E.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.libJump to dropped file
                          Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmpJump to dropped file
                          Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\mia.libJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\mia.libJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\mia.libJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeFile created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.libJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia1\license.rtfJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia2\license.rtfJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\mia3\license.rtf

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          May use the Tor software to hide its network trafficShow sources
                          Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmpBinary or memory string: torConnect
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\msiexec.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET295B.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET298B.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exeJump to dropped file
                          Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia3\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia3\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia2\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IAW4D1E.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dllJump to dropped file
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-17050
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-16958
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exeFile operation: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SiUSBXp.sys
                          Source: C:\Windows\System32\drvinst.exeFile operation: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SiUSBXp.sys
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,0_2_00409263
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,3_2_00409263
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_0040C9F8 FindFirstFileW,FindClose,5_2_0040C9F8
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00424B48 FindFirstFileW,GetLastError,5_2_00424B48
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,5_2_007942A8
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,5_2_0040C434
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00424548 FindFirstFileW,FindClose,5_2_00424548
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,5_2_00596518
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00424764 FindFirstFileW,FindClose,5_2_00424764
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00794720 FindFirstFileW,FindClose,5_2_00794720
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,5_2_00794724
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_0040C9F8 FindFirstFileW,FindClose,7_2_0040C9F8
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00424B48 FindFirstFileW,GetLastError,7_2_00424B48
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,7_2_007942A8
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,7_2_0040C434
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00424548 FindFirstFileW,FindClose,7_2_00424548
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,7_2_00596518
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00424764 FindFirstFileW,FindClose,7_2_00424764
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00794720 FindFirstFileW,FindClose,7_2_00794720
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: 7_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,7_2_00794724
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_0040C9F8 FindFirstFileW,FindClose,9_2_0040C9F8
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00424B48 FindFirstFileW,GetLastError,9_2_00424B48
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,9_2_007942A8
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,9_2_0040C434
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00424548 FindFirstFileW,FindClose,9_2_00424548
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,9_2_00596518
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00424764 FindFirstFileW,FindClose,9_2_00424764
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00794720 FindFirstFileW,FindClose,9_2_00794720
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: 9_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,9_2_00794724
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: 5_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW,5_2_00422390
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeAPI call chain: ExitProcess graph end nodegraph_0-17051
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeAPI call chain: ExitProcess graph end nodegraph_3-17051
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041B20D
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0041C3CC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0041C3CC
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041B20D
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_004182E8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004182E8
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0041B945 SetUnhandledExceptionFilter,0_2_0041B945
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_00416B12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00416B12
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0041B20D
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_004182E8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004182E8
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_0041B945 SetUnhandledExceptionFilter,3_2_0041B945
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 3_2_00416B12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00416B12
                          Source: LI-180_Installer.exeBinary or memory string: Shell_TrayWnd
                          Source: LI-180_Installer.exeBinary or memory string: Progman
                          Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmpBinary or memory string: Progmanadvapi32.dllCreateProcessWithTokenW
                          Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmpBinary or memory string: ProgmanU
                          Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndU
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndS
                          Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0040DA29 cpuid 0_2_0040DA29
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: GetLocaleInfoA,0_2_004204E7
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: GetLocaleInfoA,3_2_004204E7
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,5_2_0040CB30
                          Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_0040BFD8
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,7_2_0040CB30
                          Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_0040BFD8
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,9_2_0040CB30
                          Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_0040BFD8
                          Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SiUSBXp.cat VolumeInformation
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_0041C0BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0041C0BC
                          Source: C:\Users\user\Desktop\LI180_win-1.5.1.exeCode function: 0_2_00413849 GetVersion,CoCreateInstance,0_2_00413849
                          Source: C:\Windows\System32\drvinst.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid AccountsCommand and Scripting Interpreter3Windows Service1Windows Service1Masquerading41OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsNative API2DLL Side-Loading1Process Injection2Virtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothMulti-hop Proxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Process Injection2Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationProxy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncFile and Directory Discovery5Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemSystem Information Discovery44Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 358582 Sample: LI180_win-1.5.1.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 24 77 May use the Tor software to hide its network traffic 2->77 7 LI180_win-1.5.1.exe 1 236 2->7         started        11 LI180_win-1.5.1.exe 236 2->11         started        13 LI180_win-1.5.1.exe 236 2->13         started        15 4 other processes 2->15 process3 file4 65 14 other files (4 malicious) 7->65 dropped 79 Sample is not signed and drops a device driver 7->79 17 LI-180_Installer.exe 19 60 7->17         started        55 C:\Users\user\AppData\Local\...\SIUSBXP.sys, PE32+ 11->55 dropped 57 C:\Users\user\AppData\Local\...\SIUSBXP.sys, PE32 11->57 dropped 59 C:\Users\user\AppData\Local\...\SiLib.sys, PE32 11->59 dropped 67 11 other files (1 malicious) 11->67 dropped 20 LI-180_Installer.exe 11->20         started        61 C:\Users\user\AppData\Local\...\SIUSBXP.sys, PE32+ 13->61 dropped 63 C:\Users\user\AppData\Local\...\SIUSBXP.sys, PE32 13->63 dropped 69 12 other files (2 malicious) 13->69 dropped 22 LI-180_Installer.exe 46 13->22         started        71 2 other files (none is malicious) 15->71 dropped signatures5 process6 file7 51 6 other files (none is malicious) 17->51 dropped 24 x64DPInst.exe 17->24         started        27 x86DPInst.exe 17->27         started        37 C:\Users\user\AppData\Local\...\mMSIExec.dll, PE32 20->37 dropped 39 C:\Users\user\AppData\Local\...\mDIFxEXE.dll, PE32 20->39 dropped 41 C:\Users\...\Install Fonts EXE-PlugIn.dll, PE32 20->41 dropped 53 3 other files (none is malicious) 20->53 dropped 29 x64DPInst.exe 20->29         started        31 x86DPInst.exe 20->31         started        43 C:\Users\user\AppData\Local\...\mMSIExec.dll, PE32 22->43 dropped 45 C:\Users\user\AppData\Local\...\mDIFxEXE.dll, PE32 22->45 dropped 47 C:\Users\...\Install Fonts EXE-PlugIn.dll, PE32 22->47 dropped 49 C:\Users\user\AppData\Local\Temp\7z9094.tmp, PE32 22->49 dropped 33 x64DPInst.exe 22->33         started        35 x86DPInst.exe 22->35         started        process8 file9 73 C:\Users\user\AppData\Local\...\SET298B.tmp, PE32+ 24->73 dropped 75 C:\Users\user\AppData\Local\...\SET295B.tmp, PE32+ 24->75 dropped

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          No Antivirus matches

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib0%MetadefenderBrowse
                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib5%ReversingLabs
                          C:\Users\user\AppData\Local\III\7z.dll3%MetadefenderBrowse
                          C:\Users\user\AppData\Local\III\7z.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7z6C81.tmp3%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7z6C81.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7z9094.tmp3%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7z9094.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7zAEDA.tmp3%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7zAEDA.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe0%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe0%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys0%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe0%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe2%ReversingLabs

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          6.3.LI180_win-1.5.1.exe.524107f.7.unpack100%AviraTR/Patched.Ren.GenDownload File

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://support.uprtek.com/DB/uploads/SW/versions.asp?section=&keyword=00SOFTWARE_PCUSPECTRUMLI-1800%Avira URL Cloudsafe
                          http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zip0%Avira URL Cloudsafe
                          http://www.licor.comPut0%Avira URL Cloudsafe
                          http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis0%Avira URL Cloudsafe
                          http://www.steema.com/exceptions/add.php?ide=0%Avira URL Cloudsafe
                          http://www.installaware.comz0%Avira URL Cloudsafe
                          http://www.quickreport.co.uk0%Avira URL Cloudsafe
                          http://www.licor.comAbacusPosAP0%Avira URL Cloudsafe
                          http://www.ascendercorp.com/http://ascendercorp.com/eula10.html0%Avira URL Cloudsafe
                          http://www.indyproject.org/0%URL Reputationsafe
                          http://www.indyproject.org/0%URL Reputationsafe
                          http://www.indyproject.org/0%URL Reputationsafe
                          http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zipM_VER_LAUNCH_INSTALLER_AFTER_DOWNLOAD0%Avira URL Cloudsafe
                          http://www.uprtek.com0%Avira URL Cloudsafe
                          http://support.steema.com0%Avira URL Cloudsafe
                          http://www.licor.com1g0%Avira URL Cloudsafe
                          http://www.installaware.com0%Avira URL Cloudsafe
                          http://www.installaware.com/0%Avira URL Cloudsafe
                          http://support.uprtek.com/DB/uploads/SW/versions.asp?section=0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.licor.comLI-180_Installer.exe, 00000005.00000003.363557816.00000000028E4000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.435540527.0000000002A04000.00000004.00000001.sdmpfalse
                            		high
                            https://www.licor.com/LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmpfalse
                              		high
                              http://support.uprtek.com/DB/uploads/SW/versions.asp?section=&keyword=00SOFTWARE_PCUSPECTRUMLI-180LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zipLI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.licor.comPutLI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThisLI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.steema.com/exceptions/add.php?ide=LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://standards.iso.org/iso/19770/-2/2008/schema.xsdLI-180_Installer.exefalse
                                		high
                                http://www.installaware.comzLI180_win-1.5.1.exe, 00000000.00000000.207294394.0000000000446000.00000002.00020000.sdmp, LI180_win-1.5.1.exe, 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000000.229057375.0000000000446000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.quickreport.co.ukLI180_win-1.5.1.exe, 00000006.00000003.246440181.00000000041E8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.licor.comAbacusPosAPLI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ascendercorp.com/http://ascendercorp.com/eula10.htmlLI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.indyproject.org/LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zipM_VER_LAUNCH_INSTALLER_AFTER_DOWNLOADLI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.uprtek.comLI180_win-1.5.1.exe, 00000006.00000003.246598775.0000000004253000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://support.steema.comLI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.licor.com1gLI-180_Installer.exe, 00000005.00000003.363557816.00000000028E4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.installaware.comLI180_win-1.5.1.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.installaware.com/LI-180_Installer.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://support.uprtek.com/DB/uploads/SW/versions.asp?section=LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                Contacted IPs

                                No contacted IP infos

                                General Information

                                Joe Sandbox Version:31.0.0 Emerald
                                Analysis ID:358582
                                Start date:25.02.2021
                                Start time:21:52:55
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 15m 18s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:LI180_win-1.5.1.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Run name:Cmdline fuzzy
                                Number of analysed new started processes analysed:40
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:SUS
                                Classification:sus24.evad.winEXE@25/329@0/0
                                EGA Information:
                                • Successful, ratio: 83.3%
                                HDC Information:
                                • Successful, ratio: 99.6% (good quality ratio 98.2%)
                                • Quality average: 83.1%
                                • Quality standard deviation: 23.5%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                • Execution Graph export aborted for target LI180_win-1.5.1.exe, PID 6960 because there are no executed function
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtEnumerateValueKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/358582/sample/LI180_win-1.5.1.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.libgagepack12.0_setup.msiGet hashmaliciousBrowse
                                  C:\Users\user\AppData\Local\III\7z.dllsampplr.exeGet hashmaliciousBrowse
                                    gagepack12.0_setup.msiGet hashmaliciousBrowse
                                      mbam-setup-1.80.2.1012.exeGet hashmaliciousBrowse
                                        mbam-setup-1.80.2.1012.msiGet hashmaliciousBrowse
                                          iNa0oXzqgX.exeGet hashmaliciousBrowse
                                            http://dl.verypdf.net/pdf2txtocrcmd.zipGet hashmaliciousBrowse
                                              C:\Users\user\AppData\Local\Temp\7z6C81.tmpsampplr.exeGet hashmaliciousBrowse
                                                gagepack12.0_setup.msiGet hashmaliciousBrowse
                                                  mbam-setup-1.80.2.1012.exeGet hashmaliciousBrowse
                                                    mbam-setup-1.80.2.1012.msiGet hashmaliciousBrowse
                                                      iNa0oXzqgX.exeGet hashmaliciousBrowse
                                                        http://dl.verypdf.net/pdf2txtocrcmd.zipGet hashmaliciousBrowse

                                                          Created / dropped Files

                                                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.dat
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):305
                                                          Entropy (8bit):5.391861385561648
                                                          Encrypted:false
                                                          SSDEEP:6:SxMRSYSD/VQT1zNGo953RgeWOWXp+N23fe8rnTzAz7jM41wy:SxMRSYSDST1zNGuWeWfHrf8MXy
                                                          MD5:082AC4724AFDB05C6BE874D59BF9E17E
                                                          SHA1:E839A83023CE7D98D9917A7252566CBA11B9B864
                                                          SHA-256:F232AE2DEB3AF1A569A46BA4F5C9977ACA942230356DD97EADF94EF397EAC074
                                                          SHA-512:41B8C90623C37337778396F97BC7DC272A54D77FAEE7C158F43D3283FD09B03C9E2A98EA83E4B8C28D09F731C26F0989852EC10173BB477A2E50A90FE417CF3B
                                                          Malicious:false
                                                          Preview: MYAH-PREDEF-COMPONENT..LI-COR Spectrum..$..TRUE..TRUE..$..$..$..$..MYAH-PREDEF-COMPONENT..30105611..LI-COR SPECTRUM..0..$..C:\Program Files (x86)\\LI-180 Spectrometer..TRUE..LI-180 Spectrometer..C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\..MYAH64WOW..Win32..OVERRIDECACHE....NATIVE_ENGINE..FALSE..
                                                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6156254
                                                          Entropy (8bit):6.3901059849449515
                                                          Encrypted:false
                                                          SSDEEP:98304:IBCWJvXmK0COmVbcEkT/THDXPaV0L8l4AWn1eyeHszH2OsP4PqyK13icjqsNTUja:IIWJfmK7cEkT/TuV0hZseHiFII
                                                          MD5:A94344CD648287F3BC40B538AF42190B
                                                          SHA1:97A112188EAA93633C88BB7087D021BB565DD232
                                                          SHA-256:1AFB50E204A6511B43D62B8ACF150E256921DF3B2A98046C2F7071377BB30FC7
                                                          SHA-512:A291392F131E37E08D1B6DD67E38D9318CB0C5F4C6B4F6F6EE847FE7E589160B763A3E578F0535A9ADFC016723CFC22F661029D3B2F05C2CD8E495D669C3AF07
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...T..R..................B..F........B.......C...@...........................d..................@............................E.nV...`K.......................................................F.......................E.......E.4....................text...4YB......ZB................. ..`.itext..p....pB......^B............. ..`.data...|.....C.......B.............@....bss....h|....D.......C..................idata..nV....E..X....C.............@....didata.4.....E......@D.............@....tls....P.....F......JD..................rdata........F......JD.............@..@.reloc...1... F......LD.............@..B.rsrc........`K......LD.............@..@..............b.......`.............@..@........................................................
                                                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.lnk
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:UTF-8 Unicode text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):3
                                                          Entropy (8bit):1.584962500721156
                                                          Encrypted:false
                                                          SSDEEP:3:g:g
                                                          MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
                                                          SHA1:57218C316B6921E2CD61027A2387EDC31A2D9471
                                                          SHA-256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
                                                          SHA-512:37C783B80B1D458B89E712C2DFE2777050EFF0AEFC9F6D8BEEDEE77807D9AEB2E27D14815CF4F0229B1D36C186BB5F2B5EF55E632B108CC41E9FB964C39B42A5
                                                          Malicious:false
                                                          Preview: .
                                                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.msi
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.par
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):5676
                                                          Entropy (8bit):5.375673113699956
                                                          Encrypted:false
                                                          SSDEEP:96:d4Gc4OgAWfa0Gmb4jSj11dVH10MjmgKHkjIuNGUbeew:d4Gc49hcmb4jS517H10MjmgKHkjIuNGt
                                                          MD5:4306699D2D0215556B26D402B12C6345
                                                          SHA1:723ED166CC70F4C4FABBA3074AB06F9DF5370307
                                                          SHA-256:765CB9C663E4FB7E1FA43696C2751E648912B358C3BE7C7EBA181B1BB95C16C4
                                                          SHA-512:AA978142182AAFAD834D431AC766517906C25DC58180446431E31C50E9CCB81D365D595E1541E61C72E2AF1AC270D20B0F40A650240DB703F0FAB67C6725473E
                                                          Malicious:false
                                                          Preview: .A4BEB53A4..FALSE..AD35647E..FALSE..A9702C767..FALSE..A194AAD59..FALSE..AEA1BA5D5..FALSE..ADC702C7E..FALSE..AB7ED429E..FALSE..A453607F8..FALSE..AC3C84A4C..FALSE..A353AD105..FALSE..A2E5DCE8F..FALSE..AA3F0088A..FALSE..A51845961..FALSE..A55E6A65E..FALSE..A67ACD331..FALSE..A36706E48..FALSE..A3575565E..FALSE..AF4ED2515..FALSE..AECC34BEC..FALSE..A587D056C..FALSE..AE5444EFD..FALSE..A9847A14B..FALSE..AD532E401..FALSE..AC9AB7ACB..FALSE..A8C4586D2..FALSE..AE379E83C..FALSE..AAD9FE403..FALSE..A44DB77AB..FALSE..AFC8C594..FALSE..AD83B2FF9..FALSE..A774E815E..FALSE..ADAA0442..FALSE..A655FCA3B..FALSE..A1EA7FD63..FALSE..A609B42C1..FALSE..A409F08AF..FALSE..AF28C57DF..FALSE..A7021623..FALSE..A6B339451..FALSE..A6B481F13..FALSE..AD2758F69..FALSE..A655BFA89..FALSE..A383E736B..FALSE..A6C0AF2E8..FALSE..A7493ECCE..FALSE..A6DBFE203..FALSE..A6E896EEB..FALSE..A76F0EEEC..FALSE..AB4E1930A..FALSE..A7DB172CA..FALSE..A4BEB53A4..TRUE..P4BEB53A4_1..C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LI-180 Spectromete
                                                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.res
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:7-zip archive data, version 0.3
                                                          Category:dropped
                                                          Size (bytes):3902968
                                                          Entropy (8bit):6.223067831964042
                                                          Encrypted:false
                                                          SSDEEP:49152:5XHXAgwX91XhXWXbXRXVXgXLwXmJXFPId4xSSS/mlfQYSvpcbuMNXCSpA+xUS5ad:5CASSvWHv5e
                                                          MD5:EDA618F20514ECF18BB76A912EFDCA5C
                                                          SHA1:4C67E979C888877340DEAE91FAB10A47D34CC62F
                                                          SHA-256:35D753D12BAA6A54A74BCCF75D6F5803709E60239E1B7CBD8562D683020A3D4B
                                                          SHA-512:30CE9317979416E40024C2CE5B6F3EF2B454118F9371F5C86948B659B98D8128D07902D3B524C389D6621B0027427DCACEEBBAF1D223A3A63D9818122FC3E952
                                                          Malicious:false
                                                          Preview: 7z..'.....W...;.............[......TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..
                                                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\instance.dat
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):101
                                                          Entropy (8bit):4.63121992917389
                                                          Encrypted:false
                                                          SSDEEP:3:OiVIWHEqggwYAjSo6IYjhgnnkCsx2u7Ks4v:O6rHEqgEn7Ikhgnnk58
                                                          MD5:41FF25A90398D37064A78587CE16B8F0
                                                          SHA1:146AA66CC7E179191D1450B69E3531EC8719C146
                                                          SHA-256:4E7A57B217C44047CA43E756785EAA73F1416F1CE405DD9E8FB2E31FAEDFB615
                                                          SHA-512:7AB7B7307D8712FE612AA3B0EAFE5DC062C0A970B4F24DCC43949DA9A8CBEC4ACCD1C878C3E0FD07BD9DD3B58281EAA29253965E290818CA6709A15834657893
                                                          Malicious:false
                                                          Preview: {4963F2A4-325D-4774-8D8D-86D68B3EE27C}..{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}..LI-180 Spectrometer..
                                                          C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1335758
                                                          Entropy (8bit):6.607116387652834
                                                          Encrypted:false
                                                          SSDEEP:24576:kKLeEbW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ5e:jLeEbasY6DwOBfrnvV7UeWtPe
                                                          MD5:2957FB70B1A610B54D98CC4FB2F8DCEC
                                                          SHA1:68319EBF22A4B7D3B52B2E1198CF61535D024E24
                                                          SHA-256:30B0CD1B04F0B39251614DB60C5F9AD7E98E4201B46CDF4C850942A14F03ECD0
                                                          SHA-512:873CCADABA7A9A639328B42360166BCC427C7298FF743829C3BE92F0FBD9EF8D000F64B799765EB80D42F8BFC5196BF1083752D33840359909E9DA740B15C489
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                          Joe Sandbox View:
                                                          • Filename: gagepack12.0_setup.msi, Detection: malicious, Browse
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ad.. ... ... ....g.. ....q.. ... ... ...X... ...X... ...X... ...X... ...r... ...X... ..Rich. ..........PE..L.....8R...........!................3=.......................................P.......g....@.................................<...d................................,...................................................................................text...-........................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...............................@..@.reloc...J.......L..................@..B................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\III\7z.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):914432
                                                          Entropy (8bit):6.481500443477186
                                                          Encrypted:false
                                                          SSDEEP:24576:TW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ:TasY6DwOBfrnvV7UeWt
                                                          MD5:04AD4B80880B32C94BE8D0886482C774
                                                          SHA1:344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0
                                                          SHA-256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
                                                          SHA-512:3E3AAF01B769471B18126E443A721C9E9A0269E9F5E48D0A10251BC1EE309855BD71EDE266CAA6828B007359B21BA562C2A5A3469078760F564FB7BD43ACABFB
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: sampplr.exe, Detection: malicious, Browse
                                                          • Filename: gagepack12.0_setup.msi, Detection: malicious, Browse
                                                          • Filename: mbam-setup-1.80.2.1012.exe, Detection: malicious, Browse
                                                          • Filename: mbam-setup-1.80.2.1012.msi, Detection: malicious, Browse
                                                          • Filename: iNa0oXzqgX.exe, Detection: malicious, Browse
                                                          • Filename: , Detection: malicious, Browse
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0;.tc;.tc;.tcT..c8.tc..zc3.tcT.~c?.tcT.pc9.tc..+c:.tc;.ucH.tc..)c<.tc...c.tcT..c..tcT..c9.tc..rc:.tc.pc:.tcRich;.tc........................PE..L....S.L...........!.....:...................P......................................................................p.......L...d........{......................8q...................................................P..(............................text....8.......:.................. ..`.rdata..bR...P...T...>..............@..@.data............^..................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7z6C81.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):914432
                                                          Entropy (8bit):6.481500443477186
                                                          Encrypted:false
                                                          SSDEEP:24576:TW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ:TasY6DwOBfrnvV7UeWt
                                                          MD5:04AD4B80880B32C94BE8D0886482C774
                                                          SHA1:344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0
                                                          SHA-256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
                                                          SHA-512:3E3AAF01B769471B18126E443A721C9E9A0269E9F5E48D0A10251BC1EE309855BD71EDE266CAA6828B007359B21BA562C2A5A3469078760F564FB7BD43ACABFB
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: sampplr.exe, Detection: malicious, Browse
                                                          • Filename: gagepack12.0_setup.msi, Detection: malicious, Browse
                                                          • Filename: mbam-setup-1.80.2.1012.exe, Detection: malicious, Browse
                                                          • Filename: mbam-setup-1.80.2.1012.msi, Detection: malicious, Browse
                                                          • Filename: iNa0oXzqgX.exe, Detection: malicious, Browse
                                                          • Filename: , Detection: malicious, Browse
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0;.tc;.tc;.tcT..c8.tc..zc3.tcT.~c?.tcT.pc9.tc..+c:.tc;.ucH.tc..)c<.tc...c.tcT..c..tcT..c9.tc..rc:.tc.pc:.tcRich;.tc........................PE..L....S.L...........!.....:...................P......................................................................p.......L...d........{......................8q...................................................P..(............................text....8.......:.................. ..`.rdata..bR...P...T...>..............@..@.data............^..................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7z9094.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):914432
                                                          Entropy (8bit):6.481500443477186
                                                          Encrypted:false
                                                          SSDEEP:24576:TW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ:TasY6DwOBfrnvV7UeWt
                                                          MD5:04AD4B80880B32C94BE8D0886482C774
                                                          SHA1:344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0
                                                          SHA-256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
                                                          SHA-512:3E3AAF01B769471B18126E443A721C9E9A0269E9F5E48D0A10251BC1EE309855BD71EDE266CAA6828B007359B21BA562C2A5A3469078760F564FB7BD43ACABFB
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0;.tc;.tc;.tcT..c8.tc..zc3.tcT.~c?.tcT.pc9.tc..+c:.tc;.ucH.tc..)c<.tc...c.tcT..c..tcT..c9.tc..rc:.tc.pc:.tcRich;.tc........................PE..L....S.L...........!.....:...................P......................................................................p.......L...d........{......................8q...................................................P..(............................text....8.......:.................. ..`.rdata..bR...P...T...>..............@..@.data............^..................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zAEDA.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):914432
                                                          Entropy (8bit):6.481500443477186
                                                          Encrypted:false
                                                          SSDEEP:24576:TW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ:TasY6DwOBfrnvV7UeWt
                                                          MD5:04AD4B80880B32C94BE8D0886482C774
                                                          SHA1:344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0
                                                          SHA-256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
                                                          SHA-512:3E3AAF01B769471B18126E443A721C9E9A0269E9F5E48D0A10251BC1EE309855BD71EDE266CAA6828B007359B21BA562C2A5A3469078760F564FB7BD43ACABFB
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0;.tc;.tc;.tcT..c8.tc..zc3.tcT.~c?.tcT.pc9.tc..+c:.tc;.ucH.tc..)c<.tc...c.tcT..c..tcT..c9.tc..rc:.tc.pc:.tcRich;.tc........................PE..L....S.L...........!.....:...................P......................................................................p.......L...d........{......................8q...................................................P..(............................text....8.......:.................. ..`.rdata..bR...P...T...>..............@..@.data............^..................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6156254
                                                          Entropy (8bit):6.3901059849449515
                                                          Encrypted:false
                                                          SSDEEP:98304:IBCWJvXmK0COmVbcEkT/THDXPaV0L8l4AWn1eyeHszH2OsP4PqyK13icjqsNTUja:IIWJfmK7cEkT/TuV0hZseHiFII
                                                          MD5:A94344CD648287F3BC40B538AF42190B
                                                          SHA1:97A112188EAA93633C88BB7087D021BB565DD232
                                                          SHA-256:1AFB50E204A6511B43D62B8ACF150E256921DF3B2A98046C2F7071377BB30FC7
                                                          SHA-512:A291392F131E37E08D1B6DD67E38D9318CB0C5F4C6B4F6F6EE847FE7E589160B763A3E578F0535A9ADFC016723CFC22F661029D3B2F05C2CD8E495D669C3AF07
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...T..R..................B..F........B.......C...@...........................d..................@............................E.nV...`K.......................................................F.......................E.......E.4....................text...4YB......ZB................. ..`.itext..p....pB......^B............. ..`.data...|.....C.......B.............@....bss....h|....D.......C..................idata..nV....E..X....C.............@....didata.4.....E......@D.............@....tls....P.....F......JD..................rdata........F......JD.............@..@.reloc...1... F......LD.............@..B.rsrc........`K......LD.............@..@..............b.......`.............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.msi
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.res
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:7-zip archive data, version 0.3
                                                          Category:dropped
                                                          Size (bytes):3902968
                                                          Entropy (8bit):6.223067831964042
                                                          Encrypted:false
                                                          SSDEEP:49152:5XHXAgwX91XhXWXbXRXVXgXLwXmJXFPId4xSSS/mlfQYSvpcbuMNXCSpA+xUS5ad:5CASSvWHv5e
                                                          MD5:EDA618F20514ECF18BB76A912EFDCA5C
                                                          SHA1:4C67E979C888877340DEAE91FAB10A47D34CC62F
                                                          SHA-256:35D753D12BAA6A54A74BCCF75D6F5803709E60239E1B7CBD8562D683020A3D4B
                                                          SHA-512:30CE9317979416E40024C2CE5B6F3EF2B454118F9371F5C86948B659B98D8128D07902D3B524C389D6621B0027427DCACEEBBAF1D223A3A63D9818122FC3E952
                                                          Malicious:false
                                                          Preview: 7z..'.....W...;.............[......TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-180_Installer.msi
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):76728
                                                          Entropy (8bit):6.254581045679638
                                                          Encrypted:false
                                                          SSDEEP:1536:edjdN2c6vBVoJFLVbRv4e1R42TtHT/tNzxU:edNmVGFp9B1TtHT/tNzu
                                                          MD5:980ABD131E4B45DC8ED554D3EE0C2044
                                                          SHA1:B6041667248E9AD0CED547B33C16BF1D8A495661
                                                          SHA-256:0D75323B0EEFE651374099234B718DA70FE3C160D62BD73B49579CB07C4DDE4B
                                                          SHA-512:0429B94DD0871CB8EDB02DDDDEF2E5D21D22B09D96DCB1CF937E35B2D085742CEBDF121591902FD0A686078F9F241C5551892D1BBFC15E2B094D39BEBA159C5A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.yW...........!...2.....h...............................................`......O$.............................. ...x............@.......................P......................................................."...............................code...'........ .................. ..`.text...l....0.......$.............. ..`.rdata..............................@..@.data....R.......N..................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1305600
                                                          Entropy (8bit):6.66768345397406
                                                          Encrypted:false
                                                          SSDEEP:24576:yIAaJZ7NOcdUT4OELlCRmLrxB4Swz+hLnNlAj4HdH:HcWgYfxSSwz4A6
                                                          MD5:511629FCCFB6C536A8F6FCBF4AA06401
                                                          SHA1:6931DE3FB845AF6CD30348108A98767268EF6200
                                                          SHA-256:65AD010679A748A7174ABE1C314E0F1AE78E7BE69DEC22F0357536F21399C68C
                                                          SHA-512:D51248F81789E8E2DEFB7B59E551B3FF705C8D8BB098AC66E7A4C7C9AF48855544BA44D6256F02052B6D525753A645E7EA601F421A5918446A231775F89E081C
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................h......\..............Q....................................................................O....P...5...P...T..........................................................................Y..H.......^....................text....k.......l.................. ..`.itext.. ............p.............. ..`.data....L.......N..................@....bss....PS...............................idata...5...P...6..................@....didata.^...........................@....edata..O...........................@..@.rdata..............................@..@.reloc.............................@..B.rsrc....T...P...T..................@..@....................................@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1050104
                                                          Entropy (8bit):5.617498652730841
                                                          Encrypted:false
                                                          SSDEEP:12288:uIId79EaUTvwieMozMEcOigSpuPMaLium:xIdqaWw1MsbTScP0
                                                          MD5:BE3C79033FA8302002D9D3A6752F2263
                                                          SHA1:A01147731F2E500282ECA5ECE149BCC5423B59D6
                                                          SHA-256:181BF85D3B5900FF8ABED34BC415AFC37FC322D9D7702E14D144F96A908F5CAB
                                                          SHA-512:77097F220CC6D22112B314D3E42B6EEDB9CCD72BEB655B34656326C2C63FB9209977DDAC20E9C53C4EC7CCC8EA6910F400F050F4B0CB98C9F42F89617965AAEA
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g9I.#X'.#X'.#X'.* ..!X'.* ..7X'.* ..<X'.#X&.Y'.* ..fX'.* ...X'...Y."X'.* .."X'.* .."X'.Rich#X'.................PE..d......J..........".......................................................................@.......... ......................................H...@.......pY...0..\m.......%...........................................................................................text............................... ..`.data... ...........................@....pdata..\m...0...n..................@..@.rsrc....`.......Z...v..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):921992
                                                          Entropy (8bit):5.698587665358091
                                                          Encrypted:false
                                                          SSDEEP:6144:EZtaKSpwmx5ATm/LC3fwf3OoU9xkYSr/mdBTRhKWIjsRP/1HHm/hHAM8i6r+LyIU:EZxSpwmxvL/f3vCN1PMaLi6rAyIQjF
                                                          MD5:30A0AFEE4AEA59772DB6434F1C0511AB
                                                          SHA1:5D5C2D9B7736E018D2B36963E834D1AA0E32AF09
                                                          SHA-256:D84149976BC94A21B21AA0BC99FCBDEE9D1AD4F3387D8B62B90F805AC300BA05
                                                          SHA-512:5E8A85E2D028AD351BE255AE2C39BB518A10A4A467FD656E2472286FEE504EED87AFE7D4A728D7F8BC4261245C1DB8577DEEEE2388F39EB7EE48298E37949F53
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..o4..<4..<4..<=.`<"..<=.v<...<=.f<)..<4..<@..<=.q<o..<=.a<5..<=.d<5..<Rich4..<................PE..L......J................. ..........j........0...............................0......p.....@...... ..............................,....p..lY......................XC...................................=..@...............L............................text............ .................. ..`.data...`>...0.......$..............@....rsrc....`...p...Z...<..............@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\1EA7FD63\B65B8ED4\box_feature.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2152x581, frames 3
                                                          Category:dropped
                                                          Size (bytes):155551
                                                          Entropy (8bit):6.411518614321463
                                                          Encrypted:false
                                                          SSDEEP:768:n/Tstz8ofLN4p+QaOZV4sprBPMCCWn1YyNKlz6J6J6aX6g+6J6JP696J6JsoK3:n/TY8ofZ4MQbesp9Djn1IlzbX8v3
                                                          MD5:BAE95521060E3A852BB0753BB15DE01A
                                                          SHA1:EE52EA3E495D25CF5D0795DDCC2D9AF710EC381B
                                                          SHA-256:983617EEF70FB3AD4BA79E652D15C7254D2CDA3D8C963F9B97AF9E850CCD1631
                                                          SHA-512:AB25284B9A81600F5850CAD8E7E1A9C18D150072DBBC53A3CE1F26A7EFA95980D786EF69E23BB5787F06DEBD0A4D26EE9368713994EED601774FA315CB39DB47
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....,Photoshop 3.0.8BIM.........,.......,........i.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.277092, Fri Feb 23 2007 14:17:08 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">20141009-2</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xap="http://ns.adobe.com/xap/1.0/". xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">. <xap:CreatorTool>Illustrator</xap:CreatorTool>. <xap:CreateDate>2015-12-17T17:11:43+08:00</xap:CreateDate>. <xap:ModifyDate>2015-12-17T09:11:49Z</xap:ModifyDate>. <xa
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):24576
                                                          Entropy (8bit):5.444427923348303
                                                          Encrypted:false
                                                          SSDEEP:384:8JZ8/zig4KI5XHhdq4Jrd6T0ZUi/WP0m1g5TkgCGDZaV55K6Z0MFVIZnJ96FkU6X:vBM53ZJrdJUi/WP31d/Gdo5KgLcnJkzg
                                                          MD5:971FA2980AB94A90B6A9A8385267E653
                                                          SHA1:FC739185177A85ED04B71C6A8D5FDFB72D919306
                                                          SHA-256:25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
                                                          SHA-512:6D905EC5FCEE1F8ED2870AF0714A6C630DE3E8D8611406486ADDA08ECFC1873BD57932ED73F42EF93E4F49D40FCED13CA5C1C99795E8C0CECBBE6B56327E1337
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uc.uc.uc.ub.uc.....uc.....uc....uc....uc.....uc....uc....uc....uc....uc.Rich.uc.................PE..d....?L.........."......B..........d................................................-..........................................................(.......0.......................8...@q...............................................p..@............................text....".......$.................. ..hpage.........@.......(.............. ..hinit.........`.......>.............. ..h.rdata.......p.......@..............@..H.data................D..............@....pdata...............H..............@..H.edata...............L..............@..@INIT....b............T.............. ....rsrc...0............Z..............@..B.reloc...............^..............@..B........................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3431048
                                                          Entropy (8bit):6.400282478958549
                                                          Encrypted:false
                                                          SSDEEP:98304:ApT2oBS2w3Hp1SSx1Q2z1m6h9f8O30TjrZhdaNEzScif30g6vRpJuz1eyg9q44Ua:AxkQr0JnkTjrZh4jSJYZAqn+IgFyPne8
                                                          MD5:B24DF87B183ACE8FA4ED9D7504DDE689
                                                          SHA1:8C0439BAEE1E2E868A40D0FB524C535E8EDC9EAA
                                                          SHA-256:2B67C9E6F17A6E1DD56CB7F4F0D0A987475272355F758704B3CF1EB7A3E83BDA
                                                          SHA-512:E22ECBCBECE3F3594E8C66CDB17253E29A602512DFA20D80B5BECA4CF930DF83026374BBFFAB113C6A5F8CF83A1C60FE3188E14B87C1468C961FB6B693842197
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7..V...V...V....7..V....'..V.. *..V.. ..]V..u...V...V...U.. ..W.. ...V.. )..V..Rich.V..........................PE..L......M......................!......C............@...........................4.....T.4...@.....................................h........q...........N4......P2.....................................N..@............................................text............................... ..`.rdata...Y.......Z..................@..@.data...,........^..................@....rsrc....q.......r...<..............@..@.reloc......P2.......1.............@..B................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\3575565E\3EF45B9E\ANSI_2008.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):880
                                                          Entropy (8bit):4.024090783286004
                                                          Encrypted:false
                                                          SSDEEP:12:cykZUsywNgUhlC9SB1SzsQz3+WS+ineL85LAYr3DVJB4Rhby:cHWLSgU2HzOyieQTDVz6y
                                                          MD5:9A927231F267D229F8F1A82145D7B6B5
                                                          SHA1:3CCA3B1C9A43FD3D3E67C501BD0FC76BEA279C12
                                                          SHA-256:2692C10AC8F820DC79F297CF5375B5ECE84C04F9940ABC7575DBAA419E04F3E4
                                                          SHA-512:E8DBB142E0D1DC047307BBE0604383AF5ABC5B62A2DA0B13F07D59544324FFC745684A2E772E6CF9F1C8FF74B2E6AFD080879EA2DAD262D9EE887346143DD968
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377-2008.......E10.......0.4813.0.4319..0.4562.0.426..0.4373.0.3893..0.4593.0.3944..E20.......0.4562.0.426..0.4299.0.4165..0.4147.0.3814..0.4373.0.3893..E30.......0.4299.0.4165..0.3996.0.4015..0.3889.0.369..0.4147.0.3814..E40.......0.4006.0.4044..0.3736.0.3874..0.367.0.3578..0.3898.0.3716..E50.......0.3736.0.3874..0.3548.0.3736..0.3512.0.3465..0.367.0.3578..E60.......0.3551.0.376..0.3376.0.3616..0.3366.0.3369..0.3515.0.3487..E70.......0.3376.0.3616..0.3207.0.3462..0.3222.0.3243..0.3366.0.3369..E80.......0.3205.0.3481..0.3028.0.3304..0.3068.0.3113..0.3221.0.3261.........CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.459.0.412.0.0027.0.0014.53.7..3000.0.44.0.403.0.00278.0.00136.53.22..3500.0.411.0.393.0.00309.0.00138.54..4000.0.38.0.38.0.00313.0.00134.53.72..5000.0.346.0.359.0.00274.0.00118.59.62..6500.0.313.0.337.0.00223.0.00095.58.57..
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\36706E48\3EF45B9E\ANSI.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1004
                                                          Entropy (8bit):3.811029766434935
                                                          Encrypted:false
                                                          SSDEEP:24:cXRbzjOJi/CG1wwHPINYdBvmCQI9MSDVG:eRfCJi/CGVSY7x39P4
                                                          MD5:30638861125319A8EB54E0F75F953AD5
                                                          SHA1:8091B23543DE04CA3769A9C913C0AFAFD3191BC3
                                                          SHA-256:F6DFE926CECB9139750FC181961260E75817587C353BC525A7E018A2A571DCB1
                                                          SHA-512:3175EAFF7FF111EEBDE48459CDCEDBDD7927F3B0FFEE0B29B53A932F51007F19927E8448B4D31F31D0D95312273511C752E7DD0BC7634EFE212C578EC84DC3ED
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377.......E10.......0.4813.0.4319......0.4562.0.426......0.4373.0.3893......0.4593.0.3944......E20.......0.4562.0.426......0.4299.0.4165......0.4147.0.3814......0.4373.0.3893......E30.......0.4299.0.4165......0.3996.0.4015......0.3889.0.369......0.4147.0.3814......E40.......0.4006.0.4044......0.3736.0.3874......0.367.0.3578......0.3898.0.3716......E50.......0.3736.0.3874......0.3548.0.3736......0.3512.0.3465......0.367.0.3578......E60.......0.3551.0.376......0.3376.0.3616......0.3366.0.3369......0.3515.0.3487......E70.......0.3376.0.3616......0.3207.0.3462......0.3222.0.3243......0.3366.0.3369......E80.......0.3205.0.3481......0.3028.0.3304......0.3068.0.3113......0.3221.0.3261.............CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.463.0.42.0.00258.0.00137.57.17..3000.0.44.0.403.0.00278.0.00136.53.1..3500.0.409.0.394.0.00317.0.00139.52.58..4000.0.38.0.38.0.00313.0.00134.54..5000.0.346.0.359.0.00274.0.00118.59.37..6500.0.313.0.337.0.00223.0.00095.58.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\383E736B\B65B8ED4\square.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 36x36, frames 3
                                                          Category:dropped
                                                          Size (bytes):811
                                                          Entropy (8bit):6.8734786141017254
                                                          Encrypted:false
                                                          SSDEEP:24:cwbGo0XxDuLHeOWXG4OZ7DAJuLHenX3wwObZF0E9Et:cUfuERAmjk
                                                          MD5:6A90C8F2391DF1AE3A0D4EF59B144E6C
                                                          SHA1:4C751BECA130B036BC5607290444B50104CE262E
                                                          SHA-256:CDE14B0A2A6B19A94EA227306823CCB1AE3C6E12939EAC2204C27F74C28D09DA
                                                          SHA-512:DB46E0B830C1753E7BA7D24AC341E96CBED8E98A96C2F309A1A0A82BE445ADADCB2D03B0D4CE5D194C313E68A9D21CB858EE2E93CBB233239190B1F811AB7581
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................$.$.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(...(..=..~...6......E.E.............:(..h...(........D..........~...&....................................O.........g.........c...t..?.{..u?.................0Asz..L...Nv ..(....
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\409F08AF\B65B8ED4\box_information.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 1396x416, frames 3
                                                          Category:dropped
                                                          Size (bytes):22296
                                                          Entropy (8bit):6.223707808164865
                                                          Encrypted:false
                                                          SSDEEP:96:cAoE6DTpFWFWFWFWFWFWFWFWFWFWF18Z+Z+Z+Z+Z+Z+Z+Z+Z+Z+ZKgngngngnw93:FopYkkkkkkkkkkIQQQQwGfo
                                                          MD5:AAB4F09BBF6A3AE3E9A95E32958BA66A
                                                          SHA1:9D20AC06988DF7B9872B7CFBC39D8BC90CFB7532
                                                          SHA-256:1549FF975A60DBE53F63D8B977FA43AC1059E96AC2FFA0E0EF311726898ECE70
                                                          SHA-512:D4FF44288413D19BC487133B8E9CEADC8223B64836EB69C6994FCEF28D23FD43E6AA9B6E62F2634AE41CD1471904E28FCFEA0710C6D254B17E1361A8DC8CACC7
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.........................................................................t.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....o...x..v....'....?..s....p..p;Wu...............~....D.9..o?.S-zu.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\44DB77AB\7AF51026\LICOR.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:08:07 16:10:23], baseline, precision 8, 424x389, frames 3
                                                          Category:dropped
                                                          Size (bytes):55788
                                                          Entropy (8bit):7.406277105755755
                                                          Encrypted:false
                                                          SSDEEP:768:wjlNHlM3wYyUD6bOu8/Psvvm13GZ7I8fZgnpM89UUWnuY:p3wYDQO5/Ev+1WDfZ9893oV
                                                          MD5:4A482C8F0C46BD5D8C3D6739AD1BC7C8
                                                          SHA1:E543A7289D861A0F9ADD6B33ED1D837AC89FCBA6
                                                          SHA-256:FB2BFC19FBA5DA463FACE6D76EFED53CB1A2F307D3E9C5BED8E7D11B8BBFE2D1
                                                          SHA-512:7F910843D036135070DA2F14524F628C2CE3EFE9A1AEB0DAD1DB63578D1A55C7ED25E573E1A15568A253FDF51D0339423A127703DDAF2EFAC55D2B0E701696DE
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................z..'....z..'.Adobe Photoshop CS5.1 Windows.2018:08:07 16:10:23..................................................................................&.(.................................Q.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$...L..%......>.JN..s,?E.....De......$..J.s].>F.Y.S..ZI....IIRI$...I%)$.IJI$.R.I$......RI$...I%"........).w+..y..U7..s.%(p.(...i.?...Nl.~p....)..h..
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8981
                                                          Entropy (8bit):6.952810377972559
                                                          Encrypted:false
                                                          SSDEEP:192:6IKsjkeBneIyCNECwnVhjeyveCtAW5LfsxhQ8tsU:1KskI/w/jpvjAGLa3t/
                                                          MD5:FC43EB094C0074FCD29ADC9A742371D9
                                                          SHA1:21EA184EB636E45550BD6A18CDAF08AE19DDD776
                                                          SHA-256:993B957EB5EAC489092B25A51473CE9B4BC49835673999BC4A95440318194D8A
                                                          SHA-512:6A1ACB42C8A6A18E956431F62A89E3BFCC3484683C2934358ACA50D3FCB42D7FD244625C39D78B4983050BE26B9C5114AB53E41DB429B56BC336D33A2B4B3380
                                                          Malicious:false
                                                          Preview: 0.#...*.H........#.0."....1.0...+......0.....+.....7......0...0...+.....7.......D9.NN..........110131175223Z0...+.....7.....0...0....R1.8.A.8.0.D.E.0.C.F.D.5.2.1.0.E.9.A.3.2.5.C.7.2.B.1.2.4.0.B.4.4.2.F.B.4.F.4.2.2...1..c0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..............!..2\r.$.D/.."0....R3.0.2.3.5.5.2.1.E.B.3.1.4.1.4.6.B.1.F.D.7.1.B.6.7.F.3.C.E.7.D.9.2.0.E.2.6.6.8.D...1..[0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........0#U!.1AF..q..<.. .f.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):17408
                                                          Entropy (8bit):6.017219183396955
                                                          Encrypted:false
                                                          SSDEEP:384:Hb8p/BVUEZg4exDJKDYh3jOB2raIc15FdIq+m:mcdY0h8GaIudB
                                                          MD5:812318F3E7BD682E1C22F0B707F66E82
                                                          SHA1:AA17A293AEC2BF1239779A8D439F84B2602D76AD
                                                          SHA-256:9B4C47FAA4BD6F22E75CF8430BAC37E48108C35B6737850E583EFDC37C4D8A81
                                                          SHA-512:961BF96B873E269AD566B33243DF872D989AAB6EB51E29CC984D26BCCC331DDB60B45B301C2FD13D9F5E10BC26CAEFBD948D305D35EBAA22515453A3CD57CFD5
                                                          Malicious:true
                                                          Preview: MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................>...z...z...z...z...J...#.......]#..{...]#..}...]#..{...]#..{...]#..{...Richz...........PE..L....?L.............................8.......-...............................D......................................1......D8..<....=..0....................A..4...P................................................-...............................text...L........................... ..hpage....x........................... ..hinit.........-.......-.............. ..h.rdata.......-.......-..........
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14592
                                                          Entropy (8bit):6.033771703962439
                                                          Encrypted:false
                                                          SSDEEP:192:+Dj6z0KomA4LWbM09xLu+YMJpJ7CBMS8iCtSRGb2T+OuT+evhuj4tmkG:+Dj6zHAqW2XwFCjRjyHyevdm/
                                                          MD5:599F3715602F4CB09AD0FDC606E3B9D9
                                                          SHA1:659F9A1CF662260F3FB197E6FE3592922014E831
                                                          SHA-256:589FEA41EF48ACD9F0FC54AB25A430E5627D17E8EC3C950F3C5CB71C348E9B8D
                                                          SHA-512:56E55D7FD6330E2BBE60BD79D7502E22CEDC9F448982C54E9C924BD57B3C0741E634883435BA4621DB80852D7F47A081FA4FA4302217BFB4BF87558F7EC233BB
                                                          Malicious:true
                                                          Preview: MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.........................................................................................................................................................................................................................................................................................................................................................................................................T.Q.:.Q.:.Q.:.v.G.R.:.v.A.S.:.Q.;.}.:...).V.:.v.W.T.:.v.T.T.:.v.F.P.:.v.B.P.:.RichQ.:.........PE..L...}.?L.................+...................+...............................9.......Y......................................D...d....3..8....................7.......+...............................+..@............+...............................text............................... ..hpage....~........................... ..hinit.........*.......*.............. ..h.rdata.. ....+.......+..
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\587D056C\9426740A\CHK_20131028_165820.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Microsoft Excel 2007+
                                                          Category:dropped
                                                          Size (bytes):8720
                                                          Entropy (8bit):6.701734712242596
                                                          Encrypted:false
                                                          SSDEEP:192:8RuQ59v4QSpEeUWb2CAvib49uOHbYJy8Wn:O5l4QSpNJb2CAve49xHbr8A
                                                          MD5:BFC68AF73FFA1AA121D292B61E6EEE17
                                                          SHA1:A45A0D6C4CC9571BC9DB1E5984EB42BA467A61C1
                                                          SHA-256:857F749226E477CD880AD1EFC5CFE90F819CA7187E3E229C341FC892F516BB62
                                                          SHA-512:1CA0F915594FBD9359A301852DB87FC62C29D7C27513A35BBD314106BA3DC58331D60DAC875F29ECCC642CF34C9D4BD5E2D79122D7B278E1FCB4251F879741C3
                                                          Malicious:false
                                                          Preview: PK..........!.q.9+p...........[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MN.0...H.!..%n...j..?K......c[....g...P.T...DQ4..f..|[.d....9.g#...Ni.....Cz....*a......|v~6}.y...-...p...J`.<X.S.P.H.a..+..>....t6..i.5.l.D..V.,D..."..5<....qFz,.m.k..."Rr...k.BKPN.+.....Z..j.qg..[.. ....2Y+.w..B.ML.D.....q.}...i.K...]?.w.Vo.NM...UB.}.%..-...i..@.\.J=IB.....i...1"o^......A..AG....c.....,E.....R'?._...r.M...?.....;6.7..........PK..........!..U0#....L......._rels/.rels ...(..............................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\609B42C1\B65B8ED4\box_feature_ppf.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2152x498, frames 3
                                                          Category:dropped
                                                          Size (bytes):139076
                                                          Entropy (8bit):6.441878302402045
                                                          Encrypted:false
                                                          SSDEEP:768:nFJstzSYvn58tludWBaUVvef9YyzH+HRXPKX+HRgH+HlgPKw+HRgH+RPKUPn:nFJYNv2luEBaWmf9H45I4e4lOj4eKdn
                                                          MD5:13BC7A5820F748A41E20452055D323A5
                                                          SHA1:CA4D14E7B696A27A8D607AB390C056AAD8D47A45
                                                          SHA-256:1C16416D81D5078A524B0DCBAFFD9A74A6DFB01E694A27B9C43EA1DAAC3AA03A
                                                          SHA-512:2E60EC4AD6A9B9B6204BFE9046555FABF683C95CDF81168F15DB06FEC1B2782250C5FBA17B4B2269F2D6776609D3AD372E9658CB1BE3E6AB16BF8BCA0F768C68
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....,Photoshop 3.0.8BIM.........,.......,........|.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">20141009-2</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/">. <xmp:CreatorTool>Adobe Illustrator CS5.1</xmp:CreatorTool>. <xmp:CreateDate>2016-05-03T14:13:19+08:00</xmp:CreateDate>. <xmp:ModifyDate>2016-05-03T06:13:23Z</xmp:ModifyDate>.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\655BFA89\B65B8ED4\LI-COR-logo.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=12, height=684, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=3447], baseline, precision 8, 800x158, frames 3
                                                          Category:dropped
                                                          Size (bytes):87232
                                                          Entropy (8bit):7.76374401337514
                                                          Encrypted:false
                                                          SSDEEP:1536:bYczYcIalM6o5JJtLgDjnRG1fvAHDlwivG/wIqZ:bLpzoX4jnRG1fIhwiv4qZ
                                                          MD5:76FB5E4E25D73167940320BD69523801
                                                          SHA1:6EA73FD9F333AED01255690D5704FC031AD14D96
                                                          SHA-256:A4C401598FA51A19AD762520C3D217B8C4D0A7626B169C6A60B2126A7E53FE9E
                                                          SHA-512:9CD93A5CE8429490D47E50FA86DC2C18D167AA1AF9716AAB079D627A6DD1AD35EE388DABC25EA27C3C2B768F82FF17FDDBF10B24A140C252F67DC19325212D6F
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*...............w.......................................................................................(...........1...........2..........i............. .........`..'....`..'.Adobe Photoshop CS5.1 Windows.2018:05:24 13:40:11.............0221....................... ...........................................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d................................................................................................................................................. ...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..U.,elu.81...{....s.~.Z......0tLg{.......k......9o...z..#.b...X.e.(...x.....l.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\655FCA3B\B65B8ED4\box_basic.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 646x416, frames 3
                                                          Category:dropped
                                                          Size (bytes):9428
                                                          Entropy (8bit):5.6390537195983566
                                                          Encrypted:false
                                                          SSDEEP:192:c6yVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVMVUrVUrVUrVUrVUrVUl:hyVVVVVVVVVVVVVVVVVVVVVVVVVVVVVK
                                                          MD5:D6BF0E1638C32635B4B0E330DD4DA28E
                                                          SHA1:92B2747EB2E1DD1907697B4B40AA139448F4A653
                                                          SHA-256:5950D7AA6792FCDE26529D5C213954C33441C783C4DEEE2283AAA4998AC6EFE0
                                                          SHA-512:5140109E879C83EE9F7BD0D014D5004823155EB0E080DCED2FF10355C2A03E513318FCC83A610BDC55EAB00554CD0ADB6B1A909C50121809EC2A7116BF08EF40
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......a...?e.....^....u......J..3e........8..z.............{...?G..O.L.........5..._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\67ACD331\98FBEBF9\Reference Spectrum.xlsx
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Microsoft Excel 2007+
                                                          Category:dropped
                                                          Size (bytes):34235
                                                          Entropy (8bit):7.799348435900692
                                                          Encrypted:false
                                                          SSDEEP:768:VXOQ5UiKo1zFbU9ZnApNIBZiQLmNI2e6vWRJFu3D7:VXiiKo1zFbU9ZA/IHi0mGz6vW/FaD7
                                                          MD5:C06B8A0334EF85F888F3DBC85669C3FF
                                                          SHA1:CAE0D2805B7452816D5CAC7C7A6B621EAC5E3F7C
                                                          SHA-256:E04ECF261F03F9168CD85B6FA025AC57917CD44B713B1A8D530B20C446C1211F
                                                          SHA-512:70F83D59F1496B16CA45C60A7E1C24A0FA526E1424FE6CBA0FAA4DC43033BA5B7B52C9C015F3EBF0475B9624C41C3A2FEF43CAA1BF76A4AF66ED0B2D0E7C22E6
                                                          Malicious:false
                                                          Preview: PK..........!...4v...........[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.n.0..W.?D.V..CUU..].-...L<!..my....IRP.h$.......%...."..21J."..{m.*......H....z........f.......f.$.ORb^B.0...?)|...e\..Z.....d.......b2~.Bm,%.;..*Y.'.....*.*.krE,Tn..C2.Ear.>.T..b..4..T.4D.q.Dl....?.t4......*f.;+..@{......F...io.{S..mA..g.`.2k?.Ly....&`.Cwv.|..^z..v*u..J.w.}..\.Y..%.......A..CB$....qs.k.MmQ6..-<....+......._.........G.|.....g6 ...........PK..........!..U0#....L......._rels/.rels ...(......................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\6B339451\B65B8ED4\chart_criw.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 674x635, frames 3
                                                          Category:dropped
                                                          Size (bytes):27880
                                                          Entropy (8bit):6.875985710971225
                                                          Encrypted:false
                                                          SSDEEP:768:TToaGXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgJ8bXm:TsaGQQQQQQQQQQQQQQQQQmb2
                                                          MD5:D1A53D4B64F05A2871B04470C035F9D9
                                                          SHA1:BF0CD7A2DC6707C59D3038CC40A3F34F8629A240
                                                          SHA-256:FC9B2EFF24902D0408371AB727507F7C53F805038D340792D00D906E88E4AED5
                                                          SHA-512:5A9DFFB0AC796903E6E04B388C253F8234A2E86FDDA2FD5ACE230C6D3405DEF0F54C726DF81A2C862750F60BF497F35DE503EA0D4E430015674B15BC29DE8C4F
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(......m/....h...4.._6.1.v.#u...>e.......'.._.......U....o...?.?u...h...[.a..B..O.....Z(..........._.v..e....,.........U..<...o...?.?u...h...[.a..B..O.....Z(..!~.....?...R...{g.\.A/.[d......8 pF(.y.7.:.<..J..}..mq<.n.].<J.p$.d....J....$.._.......G.o.%.....5...J............_.v..e....,.........U..<...o...?.?u...h...[.a..B..O.....Z(..........._.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\6B481F13\B65B8ED4\cie1931.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:05:23 17:14:42], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):350390
                                                          Entropy (8bit):7.157320861579299
                                                          Encrypted:false
                                                          SSDEEP:3072:u3OzT+4vPqniUMWkPnMgZAWt9B2yxQ5FKIEaya4VsvSPcHNIjykqDY7oyZ5J1:jvPqiUMWkPMcBa5Fzn4kMcHNoHEyZ5X
                                                          MD5:38DFEBA72CD538D1256B67D2BF8FAE0C
                                                          SHA1:F8711D63148468FD8D712599342C504A0D1D3B72
                                                          SHA-256:FCFB2D1F9E427F3F1B8ED33B377D0493A0B9F0C7B5172C13DAABABD1F0086B9C
                                                          SHA-512:EB9151D05FE8FA3D3001581C276A802CAE768CD34A0F77FBFED9D44872BC41BA1D9C18625C2FBA24D625447B4769356F45E375927C3619BFA11E3A5F31109E81
                                                          Malicious:false
                                                          Preview: .....GExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2018:05:23 17:14:42..........................@...........@...........................................&.(.........................................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.ini
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):269766
                                                          Entropy (8bit):4.17943553746763
                                                          Encrypted:false
                                                          SSDEEP:3072:uukCl9EIczUzZz+zrJZzU7ugHJ2L30fNy7IrwnN5ME+siFGV9q88YFUn8fS5cP/1:vXF8tV
                                                          MD5:6B5601074757D38741CE5675B76388CB
                                                          SHA1:A10E15E42235C7910BA7241A5415E6426943D947
                                                          SHA-256:BD4B17BFFC964B105918140E2B15AF0C29292ACBFFB06E568E1269361B99F9DB
                                                          SHA-512:311E71E2570A5C39BF7C85573F11DDB449518413679BDC1219BF4D36239E7142053EC3D7B96A5359C1B25BD20744F3C6D0F24E94981EC297671100B57BA7EAFE
                                                          Malicious:false
                                                          Preview: ..[.C.H.T.].....B.A.S.I.C._.S.E.T.U.P.=.._...j..yr._<P-..[....B.I.N._.S.E.T.U.P.=.B.I.N.yr._<P-..[....B.i.n.E.d.t...C.a.p.t.i.o.n.=..}/.hV....b.t.n.C.o.n.n.e.c.t...C.a.p.t.i.o.n.=.#..}....b.t.n.C.o.n.n.e.c.t...H.i.n.t.=.....b.t.n.D.a.r.k...C.a.p.t.i.o.n.=..f!hck....b.t.n.S.e.t.t.i.n.g...C.a.p.t.i.o.n.=....|.T-..[....b.t.n.D.a.r.k...H.i.n.t.=.....b.t.n.D.i.s.c.o.n.n.e.c.t...C.a.p.t.i.o.n.=..e.}....b.t.n.D.i.s.c.o.n.n.e.c.t...H.i.n.t.=.....c.b.B.i.n.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.C.h.k.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.C.o.u.n.t...H.i.n.t.=..}..!kxe....c.b.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.L.o.g.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.L.o.g.I.n.t.e.r.v.a.l...H.i.n.t.=..}...v....Bf......c.b.L.o.g.I.t.i.m.e.C.o.u.n.t...H.i.n.t.=..k.fIQBf...}..!kxe....c.b.L.o.g.I.t.i.m.e.E.n.d...H.i.n.t.=.P}_g.v.fIQBf..<P....c.b.L.o.g.I.t.i.m.e.G.a.p...H.i.n.t.=..fIQBf.....<P....c.b.L.o.g.I.t.i.m.e.S.t.a.r.t...H.i.n.t.=.w..Y.v.fIQBf..<P....c.b.L.o.g.t.m.H.M.a.x.V.a.l.u.e...H.i.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\6DBFE203\342BBCE8\Cold.asz
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32243
                                                          Entropy (8bit):7.983643036707625
                                                          Encrypted:false
                                                          SSDEEP:768:FwZk43Try4rswSIWlZDbkP3PTVVzN7DlKe8pGY7eKIfi:FwK+yMswSbfDb07DzxlEqVi
                                                          MD5:AC1C8E08E905B7F2050F55295A054FF1
                                                          SHA1:76C174B7C484DE9691DE8F60E790222D1D5362D9
                                                          SHA-256:332EA0360575D993483B891C19DA9115342C8B207722C072E64F6D960BDA27E2
                                                          SHA-512:2F56A66363FB558760BB8BFC370EB5F6E3ECD3037FD6BA9763903BC0F1C420421FC55CA160EBA97A2772A49949BC649FBE66BA010C5BD456ED23DA88007052C9
                                                          Malicious:false
                                                          Preview: ASzf........Options.dat.7..x..Z..6.._`.y..gR0..dkm!.d..&i..../..^..;<.Dy..:....E.#rf8..8._........w.}.......k.^d.Y...Czj.&+.Cz\.....x...7.....w........fM..R......n~.......n..6Mql.g0....=.Uk..DPB...k7e...^..v\...$...f..6e}....+........j.=....E.H0.$D.I...D.kI.q$...>......<..D.jL.P....].~..@..&..Y...p...h.<;.m..CR8.1.c..yy.=1.{....iYv.#..80.....|.../!...J>&.2"E<U.{TM.-..'$Z.HR.!....h..&3.F....V.".?...vv..;0.....#...I...8..M.6Uc.T.b.7K..d5(...Br...h7m}\..1..&~....l.o...?.k.........-..XL......?....L.Z..GP ...+.'.|..4i..7y.....v.o.v.3.P..k.g..Bx\..9h-.tA.3..g.6m.V...=0..(..U..>3.|..m.1&.1m.WU./`d..6.].`_0.....>.....~...#....Q4..`.k..]................S.N....a>./.i.z.V.&...J...Ph.'.o.h.........I..@.-fP..........!..S.3..[......c.gYA..+e,=(.E..Vc{.".m~...x.Ql.._4BJI0.FD"9...9sXhSW.....*/g...:<...+b:k3K.....E.&p o.....,......z...{..H...L<G6....A..........L$[6.k..uM..z... .-YE.g.IM.......N:X..S.....}..@...^Q.9ct..q......".o....Q.3cX...V...L
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\7021623\B65B8ED4\chart_cie1976w.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 663x654, frames 3
                                                          Category:dropped
                                                          Size (bytes):49281
                                                          Entropy (8bit):7.677803253072959
                                                          Encrypted:false
                                                          SSDEEP:1536:HOz9vOQugFYu+r15YmntUPmng1hlWzqivgb50oVSLs6h9OTT+0:uz3FwxOPmg1GCSooLs6hM+0
                                                          MD5:4AE6C98119702AD8DBE19815759A9AD5
                                                          SHA1:DD6246D6C6A2606AAB9725156B6F3C6554670D60
                                                          SHA-256:948DC9829F0D27B461B7410CC20E42E8299FD9DC7CF29AD4C269133873A06810
                                                          SHA-512:2CD288A1E3FD13D44DD2C1F3B8D9ADEC9EC43231E71882CEBDF8D101DC1199018B20227E88B4B73310C019F26786D991CCB230E5D46340A913C5D0FB271B4DCB
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..4....j..i.)....gkxf..#,v+..@.&.....]{V...x........k.j.]8...9.3..p1]/.#..?.o.......h....%.........k.h........C.....X..G.#..?.o.......k.h..*...w.........c......`........,o.U..<......7.......4.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\7493ECCE\C0705257\CIEO.CFG
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):25871
                                                          Entropy (8bit):3.628876107565113
                                                          Encrypted:false
                                                          SSDEEP:768:tAqlIjLdNeBa/QlhO4erymyb2U2nCGqsjIogBLFenLwfl:tAqlI1NeBaolhOLrymyz2nCGqAgBLFeE
                                                          MD5:2ED1B9435809772B68294D38B962DE19
                                                          SHA1:ECE1D3D025626D350683E7070382F235FC9FE09B
                                                          SHA-256:67F5DF4714FB4E1D09FC592DDD4AC6B6FAE220B25F5CEEF7B1B538AA653FF465
                                                          SHA-512:175FD4219059AEFBC9EDF83359AEE72FC90E8A60048A6A11EBBE15B8F62F9981899D2827D791600998B4D67CC6C2703B4FAF82B520BA5411AE9247C44401BADC
                                                          Malicious:false
                                                          Preview: 401,380,780..0.17411.0.00496.0.25686571.0.016464427.0.25686571.0.010976284..0.17409.0.00496.0.256832415.0.016464184.0.256832415.0.010976123..0.17407.0.00497.0.256787756.0.016496404.0.256787756.0.010997603..0.17406.0.00498.0.256759747.0.016528743.0.256759747.0.011019162..0.17404.0.00498.0.256726457.0.016528499.0.256726457.0.011018999..0.17401.0.00498.0.256676525.0.016528133.0.256676525.0.011018755..0.17397.0.00497.0.256621308.0.016495188.0.256621308.0.010996792..0.17393.0.00494.0.256588798.0.016397312.0.256588798.0.010931541..0.17389.0.00493.0.256533573.0.016364361.0.256533573.0.010909574..0.17384.0.00492.0.256461702.0.016331288.0.256461702.0.010887525..0.1738.0.00492.0.256395126.0.016330806.0.256395126.0.010887204..0.17376.0.00492.0.256328554.0.016330324.0.256328554.0.010886883..0.1737.0.00494.0.256206027.0.016394531.0.256206027.0.010929687..0.17366.0.00494.0.256139471.0.016394047.0.256139471.0.010929365..0.17361.0.00494.0.256056282.0.016393443.0.256056282.0.010928962..0.17356.0.00492.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\774E815E\526B362B\LICOR-about.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 145x435, frames 3
                                                          Category:dropped
                                                          Size (bytes):12917
                                                          Entropy (8bit):7.841242072236601
                                                          Encrypted:false
                                                          SSDEEP:192:A+rZ8DyGZb+SvEEnb81eH1lJzjrFW/tUBHWTYrwwJpU8jDI0VRcYgVNJv2OsZEFs:rWyZbU8ATJk/2RDPfXfj7gYOej9
                                                          MD5:AEB44B1C85804C8574E0E56037233558
                                                          SHA1:1F115B2CCFF90DCD80DE33501BB2341827A65DAA
                                                          SHA-256:0D91511EC270698D449798FEAF766B1A3820CB659BC2E37C10B52F39D7046B17
                                                          SHA-512:347B732569F61C725355394724224063F759A430E71523F8C24CA19C041E67AC9402B6FE50C1056000CF9E36F94B7BC20D7F1891E67D2F002BD44AA0626DEF3F
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C......................................................................................................................@............................!.1."AQa.2.B..#Wu.$5q.....478RS....................................C........................!..1AQa."q...2....#Br....3S.R....6b.45T..............?....R.... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... %G>....)......q.O.....*...=....~..;'..hww...5*I.<.M.......\CemC.l....\.i$......rk.Nt...y.#d49v1i..Cd2...*.1..C......F...\ou^......6.?...}gm{}V.4.4..I'.y#}.6Ew..&5.eL.kZ4..:.)...8...z.*.K....z.F...,..V....5e.=k..C....].h.R.C.H.....0.....B....y.%.g.)......BY
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\8C4586D2\7AF51026\cie1976.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:08:09 15:30:04], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):304735
                                                          Entropy (8bit):6.764574393450863
                                                          Encrypted:false
                                                          SSDEEP:3072:U9qqfJ6k0lWHQD3N5i85cLpl6Dziokg5ZVpLe+BUMx8Ni07c/FXr25:eq+elWHQD9Cz6Dz13ty+Bhmc90
                                                          MD5:0C86034B78AC08E8EBF4751066FF4508
                                                          SHA1:9E2CF625C636D92524BBD3787C326CA0A411150B
                                                          SHA-256:B5426827E53E27D35BA83DE51C5367BA595AB1B22C2411E3B0DCBA31C6896886
                                                          SHA-512:C25574138EE7544958DA6FC1BEE3BC0C5495547CF04DE9AC39827E2340B58593897F5F2BEEB62F5A932FC95086AD833A92D9DDA52D83758BC86AC007ED00C29E
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2013:08:09 15:30:04............................@...........@...........................................&.(.................................r.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI$...I%)$.IJI$.R.I$...I%)$.IJI
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\9847A14B\B6D77E4E\ESPD_LI-180-000.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):7336
                                                          Entropy (8bit):4.207813795706626
                                                          Encrypted:false
                                                          SSDEEP:192:caWYFcBd/EL8XoWGUoN8y/kc6L4eexSZod/D0FiMwX6:ckICL81LoN8IOeoYD08MZ
                                                          MD5:75F5F0228EF83924EDAF8B5AA0DE93F9
                                                          SHA1:A34DEB51928DDA684CEB73B267831E5D2832A591
                                                          SHA-256:EE507AACFCA46227BE426667327F5F65432AB3EAE545619B7B05583EB95AEFA8
                                                          SHA-512:0949B79F2FF3A24CC3F2F807017FBF09F3393AC11BB46B52F5310609F0F4B31F7DB972E451CD404119806B2F376C9476C5E5BD26EA60A75030A0BC00E2A70BAD
                                                          Malicious:false
                                                          Preview: Model Name.LI-180..Serial Number.C16M0094..Time.2018/06/07_18:36:47..Memo...LUX.551.286071777344..fc.51.234764..CCT.5279..Duv.0.002312..I-Time.810..x.0.337865..y.0.350262..u'.0.207044..v'.0.482941..x10.0.344416..y10.0.343235..u'10.0.214256..v'10.0.480423..deltax.0.000138..deltay.0.004687..deltau'.-0.001705..deltav'.0.002342..LambdaP.449..LambdaPValue.14.203784..LambdaD.564..X.531.774719..Y.551.286072..Z.490.864868..S/P.1.821943..Purity.0.064435..Pct Flicker.0.000000..CRI.72.959000..R1.71.421402..R2.76.906075..R3.79.229408..R4.73.710800..R5.71.450272..R6.67.357368..R7.81.994560..R8.61.602081..R9.-16.864355..R10.43.786861..R11.69.502899..R12.42.744762..R13.71.495804..R14.88.912788..R15.66.517227..CQS.71.641174..GAI.81.695618..TLCI.50.887054..Rf.70.698936..Rg.94.557259..PPFD.7.529354..PFD-UV.0.006745..PFD-B.1.763472..PFD-G.3.702757..PFD-R.2.114594..PFD-FR.0.278020..PFD.7.806673..IRR.1.697261..380nm.0.099609..381nm.0.099624..382nm.0.100046..383nm.0.101189..384nm.0.101241..385nm.0.095187..3
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):19456
                                                          Entropy (8bit):5.5838184446755195
                                                          Encrypted:false
                                                          SSDEEP:192:2fW3/zOHLiVaL/qqPhh0m1ooaJOz6CXPaxEL+GIn0alGalILp/JSUJj6jLfJv19U:2fW3LOHLdLCI0m1Xz3fW01alInS1LFv
                                                          MD5:CEDF7CFFCCD03451FD22DBAAC2E3DE8E
                                                          SHA1:3FD8383608DB769A1E2C8E0C1302C315DCA8B37E
                                                          SHA-256:A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
                                                          SHA-512:BBA0BF8C75E5A1B1AFC72F5B5A33CACA721DBB4589DE7B3430398AE147E2E2CF18A15932DF62D32423B1093453B55B48B9E99FB7549135E3CF33976229C47376
                                                          Malicious:true
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#d..g..g..g..n}w.e..g..B......b......e..n}g.d..n}q.f......f..n}n.b..n}p.f..n}u.f..Richg..........PE..d...A.?L.........."......:..........d...........................................................................................................P.......8...........................@a...............................................`..@............................text............................... ..hpage.........0...................... ..hinit....U....P.......6.............. ..h.rdata.......`.......8..............@..H.data...0....p.......>..............@....pdata...............@..............@..HINIT.................B.............. ....rsrc...8............H..............@..B................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\AD9FE403\7AF51026\GAI.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:11:20 16:36:56], baseline, precision 8, 394x472, frames 3
                                                          Category:dropped
                                                          Size (bytes):36337
                                                          Entropy (8bit):6.764811903181098
                                                          Encrypted:false
                                                          SSDEEP:384:gKibD1sWGibD1LnE3rvkPYNg707osesesesla:gKvWGAE3rvkPYy9sesesesla
                                                          MD5:F6A740B37593A25B3303F21BB5C79123
                                                          SHA1:E84EEBD8AD1C57D3EA08C6A838816FFC041971B4
                                                          SHA-256:5D44CEB519861E072FCDEAEE1D3530FA59D573AA5C80BFE06C39BA83AEE7CEBC
                                                          SHA-512:8B7F40BBED567DBC12F273B384B3C6D0F0F27CECFFE8FB6F8E59E27C91A21865AE972E722D1473660857A10048D26E3D9E4D79417E67245ACC86508DF4C1CA7E
                                                          Malicious:false
                                                          Preview: ......JFIF.....d.d.....oExif..MM.*.............................b...........j.(...........1.........r.2...........i................B@..'...B@..'.Adobe Photoshop CS3 Windows.2013:11:20 16:36:56....................................................................................&.(.................................9.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$......RHq._2....y......?..I%.)|.V{..\...9......I/.K.R..............RI|._2....W...G....
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\B7ED429E\E1510A13\setup.ini
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):639
                                                          Entropy (8bit):5.225501775126988
                                                          Encrypted:false
                                                          SSDEEP:12:o4W7yQSuA5Q0ZAFXYFP3oZjAjwMphMpYNS75qyR910OUGyy:o4sSuASFFuPYZj2py2N0syR9apGyy
                                                          MD5:80DF0F8F1C0B01912035B8EDBEE3FCA4
                                                          SHA1:A375BB2019091745C5A65CFD6CCC13F3459395FC
                                                          SHA-256:2DCEAA5F2B3661B8BBFC8C3EB4C8AA9464D1A113C53375A0B23618CA32F98EAB
                                                          SHA-512:7C4FFBB64965074667987D88E740046DB9BD17916A6D6019EBBCAAD441A7AB07E88A29E9FB5BDF07C6F58AE19120935EBCD650D0F9B03DC3E969911181749002
                                                          Malicious:false
                                                          Preview: [Driver Type]..USBXpress....[Driver Version]..3.3....[Product Name]..Silicon Laboratories USBXpress Device....[Company Name]..Silicon Laboratories....[VID]..10C4....[PID]..EA61....[Relative Install]..Relative To Program Files....[Install Directory]..Silabs\MCU\USBXpress\....[Install Subdirectories]..x86..x64....[Install Quiet Mode]..Off....[Uninstall Quiet Mode]..Off....[Copy Driver Files]..No....[Remove Copied Files On Uninstall]..Yes....[XP_2K_2K3_VISTA INF Files]..SiUSBXp.inf....[XP_2K_2K3_VISTA Driver Files]...\x64\SiUSBXp.sys...\x64\SiLib.sys...\x86\SiUSBXp.sys...\x86\SiLib.sys....[XP_2K_2K3_VISTA Catalog Files]..siusbxp.cat..
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\C3C84A4C\E1510A13\SiUSBXp.inf
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):5.224754517663399
                                                          Encrypted:false
                                                          SSDEEP:48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
                                                          MD5:BC384072A8A9F073B51EF98ACF303D5B
                                                          SHA1:30235521EB314146B1FD71B67F3CE7D920E2668D
                                                          SHA-256:0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
                                                          SHA-512:7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
                                                          Malicious:false
                                                          Preview: ; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\C9AB7ACB\7AF51026\cie1931.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:08:09 15:39:41], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):336534
                                                          Entropy (8bit):7.115911162455732
                                                          Encrypted:false
                                                          SSDEEP:6144:GI2tAK++2lUccb5UeseFVYp9WabwF+3bbveA:GI26Kl2lURb5UeseFIWabw83bbGA
                                                          MD5:A4EC7C5FA49097EA26788ECF321A50D0
                                                          SHA1:087058EFA3499B861E24C32A6EB5B86C86470935
                                                          SHA-256:CA503EF7FDD964353860C55ED9924F9F02434D07B2A075E8E477CAFBAEF195F1
                                                          SHA-512:91D99DF6CB4F2DF763C6F9CA59DE45AF3647142F371BFCE672519523285EF94F57403617EC37806F3E131E682925AC8AC12B2C381306C2E5BF5491FA98DD0260
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2013:08:09 15:39:41............................@...........@...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI;..`....x.v..MjVIoQ.p.a...a..Z........#...8.5.~m.sO...?.d..t~1...\...8
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D2758F69\B65B8ED4\cie1976.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:05:23 17:15:12], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):313463
                                                          Entropy (8bit):6.814020649307973
                                                          Encrypted:false
                                                          SSDEEP:3072:xzqzFaS2L8hls4H5oU4+6h/qeGVra2FA6nZqWTs9MRS:xzqzFp7ZoA11a2F/n1T3S
                                                          MD5:E6F16A7651B2C498F5506220CD24B3F7
                                                          SHA1:A1463B7A75A1309135F086CD026A334439EE624D
                                                          SHA-256:BC3CD3B0F623353B0067F670DA41E5639E2BF722954A67D3737E7CBBF39F6291
                                                          SHA-512:F66867FA36BA8BB34690FECACEB9FFB07E966B61D0994C19B5E1A1D637C7D3393E5B313C3F48FC03743E0E0F7BF998B9C3E51203F8160EA2C08CF87F425BC3AA
                                                          Malicious:false
                                                          Preview: .....WExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2018:05:23 17:15:12..........................@...........@...........................................&.(.................................!.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.LH.I..RR.(..&..'...
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):20469760
                                                          Entropy (8bit):6.646788174507154
                                                          Encrypted:false
                                                          SSDEEP:196608:r4Z+O+3MQUGqcJ8g+QwA9Nst9zmJemKD:r4xJGOA/Ooe7D
                                                          MD5:4CB8BE08741CF33831104499F1240830
                                                          SHA1:ACE76BA4ECCA1A4CEA87CFA539F60E969258DBA9
                                                          SHA-256:26A4B2A211FF8078C7E232A1AE4290A92BD0DF171E5416CBC97BC3B4C3379681
                                                          SHA-512:37FEF919B225EBB1E78E36A91C3A2D1530B47F65B8226B07BB9A86AEFD1B0F7889EC05CB731EBE2AFD2B346456B3FE5AC7AC95682B788366F3C5977E2B1A4D26
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, Author: Joe Security
                                                          Preview: MZP.....................@......Pjr......................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L......`....................p......d2............@...........................:.................. ...................0..`....p...J... ....q..................@/..b...........................`...................................e...................text............................. ..`.data....p.......j.................@....tls.........P.......>..............@....rdata.......`.......@..............@..P.idata...P...p...L...B..............@..@.didata..p.......f..................@...
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D532E401\20073942\mdd_0.ttf
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:TrueType Font data, 15 tables, 1st "OS/2", name offset 0x30a0dc
                                                          Category:dropped
                                                          Size (bytes):3189464
                                                          Entropy (8bit):5.995760690515092
                                                          Encrypted:false
                                                          SSDEEP:49152:aKGJGTV0L61KRCn7GvLkNrxCQ4Skrrlh67iPFfR:XGJGR0L3k7AhrrltR
                                                          MD5:134EA9D05DB33ADF680B8440F715CCF9
                                                          SHA1:3122FD8759ACB7562A98F6349EF0E2E46A018895
                                                          SHA-256:70F760EE31BB569EC53E33B44A699643898DC8C65B3034E370953AFD1E63964D
                                                          SHA-512:C512C3F68EB90C5A6D78D2F00559A42CE492131F0CC6B18A5483B57E906793EFAFD25785F0836483214333AA9E77960DD6C6F32FC8292178644FC9E4D2B91A9B
                                                          Malicious:false
                                                          Preview: ...........pOS/2...4...x...`cmap.:.....\..r cvt ............fpgm.!Y....|....gasp.....0......glyf4..>...$.*.head.h.........6hhea...m...4...$hmtx............kern>.B..0......loca(..h........maxp.......X... name.*.^.0......post.....0..... prep...)...................._.<.................."m................................+.................................'........./.............................$.......z...>................).|.........1ASC.@.............D............... .....K.........C...E...g...................:...M...M...........@...R...E...`...........................................E...E...............m...........................~...........W...E.......~...........................................................N...`...N.......i.....1.........w...........T...........B...B.......B.......................f...t...W.......{...........}...q...[.....=.[.......E.......|.....&.U...R.......n.......U...U.....1.....E...5...U...Z...............m...................................................B..
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D83B2FF9\7AF51026\tm30image.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2015:12:30 17:35:06], baseline, precision 8, 800x800, frames 3
                                                          Category:dropped
                                                          Size (bytes):94892
                                                          Entropy (8bit):7.270988868597474
                                                          Encrypted:false
                                                          SSDEEP:1536:s8c3FL8w+sqCi2MhzmZRRgFwHXbGZC17CFIQTUH4dlqUtIeKFwWIQI5uDKRID:s8MF1hinpmZRR0WXqZC17CFV4YdcTeKX
                                                          MD5:628BA21B5C6B2759EAE8A66A6BE2C6C3
                                                          SHA1:349D8736B69DCBB1A0C58736B5006E19737D2144
                                                          SHA-256:871AF5869E6B0D8AAD4EE8B45AA02B4349FE0BFD35B0B6960DC7C177E33DB05F
                                                          SHA-512:70FDE4CB2C719F10B6B407FDB5453B2D7CD672F3FE3F8185CC86B988FC94A2680E8161E382DAF2C99F04ECA0654A6E1DB38FF0D41A672928FEC508E50649CBD7
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2015:12:30 17:35:06............................ ........... ...........................................&.(.................................z.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?... C..X.-.."....8Y.0....5..H.j.T. K..3j#T....e.9..Br.,.D.'".....x.r..\..8Y...nEr...f..!...NK../.........M...aD)..Y.6..A..K
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\DAA0442\526B362B\LICOR-start.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 600x360, frames 3
                                                          Category:dropped
                                                          Size (bytes):20110
                                                          Entropy (8bit):7.456114321529859
                                                          Encrypted:false
                                                          SSDEEP:384:NJ22ogJO6LBHPVzp7/C5Xy2bbd4632YQdkA4lliVhU:kgJO61NN0Xykbd4IQ2A4lliVhU
                                                          MD5:DB5050170386F50D5268871E82F8CF49
                                                          SHA1:269AD18CEC7382CE70192A9E9805324EE50889A9
                                                          SHA-256:C3242691970CAA16C3508D08309EEAEB38310AF944EB05CC51FD32ED31F9D14B
                                                          SHA-512:70C31CF3ECD273AB431F7A92BA7D44AC57ADF9B49B8C2A10C2A8180A26ADB6CE8BE156E2412336B1FC434C46381BB95BF1A98D682B26275A3F2433CE83AADBB6
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................h.X.............................................Y............................!1..AQa.."2368Vqrsu........7BWtv......#5b..$R..&C.DSTcw.....................................E.........................!1.AQq....234Ra......"STr..6...#Bb5...$C..............?..L....................................................................................................................................................................................................................................................................................................................................................................................$.&,...kz..."..g.Y..$y~..t..-4....t.rE..E3l...E.S5Dq@9.u..[...9A.d.7tk...O.....v................Q.E.o3...c....x..*.q...u./...>....].m.U...x..l.s..m.t..2i.<q.g.O...Q.u.nH.i.XD...-.g..m...7.....j})...
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):90112
                                                          Entropy (8bit):5.9593050226304385
                                                          Encrypted:false
                                                          SSDEEP:1536:EFrG2x+yr66sN/Cnj3sxacCtmkAdheNcief1n9JNABxojxiM:E1G26wjNtkT9JaBijU
                                                          MD5:8D32BE58B5F5BD7317628BF6BE577DB7
                                                          SHA1:C43BCE281CDB08C4B36D7C15B2817C901B75A9EE
                                                          SHA-256:4CB634E37C2622AFBCDDF706868F4E992DB59B7BBB6F99820EC636307F833C32
                                                          SHA-512:DB27E8DD5361424D98C4894B8D9163CE88A51F31F343C8474CCEB30C353EEBFBAD92F2A252B299E7E52B203CB69388E875CFE5680BBA36D7ACB807F955D0EC77
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I+..(E..(E..(E...8..(E...(.(E.?'...(E..(D.(E...+..(E...?..(E...9..(E...=..(E.Rich.(E.................PE..L......M...........!.................n.......................................p.....................................0.......l...d....@.......................P..P...................................8...@...............H............................text...E........................... ..`.rdata...7.......@..................@..@.data...$.... ....... ..............@....rsrc........@.......0..............@..@.reloc.......P... ...@..............@..B................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\E379E83C\7AF51026\CRI2.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=12, height=945, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=945], baseline, precision 8, 800x800, frames 3
                                                          Category:dropped
                                                          Size (bytes):317756
                                                          Entropy (8bit):7.8934485714815565
                                                          Encrypted:false
                                                          SSDEEP:6144:mbVolEvG4/Rkez+lh6MLh/kRG2x2yiQpWMJGzxBYDH:GolEv6ez+SY2vpgYDH
                                                          MD5:F41266D03391E18B49F781EC376AE02E
                                                          SHA1:776BD803EDA70C5463F595B670A17F1CBEC3045E
                                                          SHA-256:D6F4C7DF131CEB1357BF951E2AF27349A583D53500A9CA0D60BDF2F0202DE8D6
                                                          SHA-512:0D6D6D0B0F01AFE5585E7011F19ABE85305418819C8F319CF13E0CC1591C9A462E8388C5C3F9EEC4D8190C080BA69E075784047A9E9C1CF7CE96AAD22135FFA4
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.......................................................................................................(...........1...........2..........i............. .........`..'....`..'.Adobe Photoshop CS5.1 Windows.2018:08:14 11:26:55.............0221....................... ........... ...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.IX.....C....ql............l..i)......-f.G.[k....@.jn.l
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\E5444EFD\CD0E66BD\LI-180_Log_Example.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with very long lines, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):3750
                                                          Entropy (8bit):4.008741802403102
                                                          Encrypted:false
                                                          SSDEEP:48:+8OFBBLkDlmXEhePfniR+sZ5URhyfahrXp7zfBSLnJ+PnshS6CI+zRI7yjShRhxd:l0Rvni6RbpXfCnISCdnwX/JU9kwbC6He
                                                          MD5:6B725689715D05FF07DDD4446546AE98
                                                          SHA1:E6393831097644DA12EE0CEEFE2C4E3FFD60CD7E
                                                          SHA-256:6BFED87E667BACB00FB1BD98AC564E4A43A120679BE91378C485FEDD5D91A7FE
                                                          SHA-512:9C3A3D4632B9E0076F61966252480068B3343F709F5A923E84D70DEA2BAE21DD9500F4B6146B048F7092333BFDCE9B78EF4D79AB49BD8359FC5D572A6CFC80C5
                                                          Malicious:false
                                                          Preview: Model Name.Serial Number.Time.Memo.LUX.fc.CCT.Duv.I-Time.x.y.u'.v'.x10.y10.u'10.v'10.deltax.deltay.deltau'.deltav'.LambdaP.LambdaPValue.LambdaD.X.Y.Z.S/P.Purity.CRI.R1.R2.R3.R4.R5.R6.R7.R8.R9.R10.R11.R12.R13.R14.R15.CQS.GAI.TLCI.Rf.Rg.PPFD.PFD-UV.PFD-B.PFD-G.PFD-R.PFD-FR.PFD.Pct Flicker.IRR...LI-180.C16M0094.2018/06/07_18:38:57..543.148682.50.478500.5279.000000.0.002312.810.000000.0.337866.0.350264.0.207044.0.482942.0.344412.0.343248.0.214248.0.480429.0.000139.0.004689.-0.001705.0.002343.449.000000.13.986156.564.000000.523.924194.543.148682.483.612244.1.822421.0.064443.72.989456.71.441299.76.929138.79.267715.73.732475.71.476006.67.393066.82.017883.61.658089.-16.677534.43.856194.69.527214.42.825092.71.514412.88.933922.66.551353.71.674065.81.703079.50.969234.70.737282.94.565559.7.421987.0.007622.1.738674.3.647980.2.086047.0.279896.7.702174.0.000000.1.674243...LI-180.C16M0094.2018/06/07_18:39:02..569.244202.52.903736.5288.000000.0.002364.780.000000.0.337633.0.350170.0.206922.0.482862.0.34
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\ECC34BEC\3EF45B9E\ANSI_Ellipse.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1004
                                                          Entropy (8bit):3.811029766434935
                                                          Encrypted:false
                                                          SSDEEP:24:cXRbzjOJi/CG1wwHPINYdBvmCQI9MSDVG:eRfCJi/CGVSY7x39P4
                                                          MD5:30638861125319A8EB54E0F75F953AD5
                                                          SHA1:8091B23543DE04CA3769A9C913C0AFAFD3191BC3
                                                          SHA-256:F6DFE926CECB9139750FC181961260E75817587C353BC525A7E018A2A571DCB1
                                                          SHA-512:3175EAFF7FF111EEBDE48459CDCEDBDD7927F3B0FFEE0B29B53A932F51007F19927E8448B4D31F31D0D95312273511C752E7DD0BC7634EFE212C578EC84DC3ED
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377.......E10.......0.4813.0.4319......0.4562.0.426......0.4373.0.3893......0.4593.0.3944......E20.......0.4562.0.426......0.4299.0.4165......0.4147.0.3814......0.4373.0.3893......E30.......0.4299.0.4165......0.3996.0.4015......0.3889.0.369......0.4147.0.3814......E40.......0.4006.0.4044......0.3736.0.3874......0.367.0.3578......0.3898.0.3716......E50.......0.3736.0.3874......0.3548.0.3736......0.3512.0.3465......0.367.0.3578......E60.......0.3551.0.376......0.3376.0.3616......0.3366.0.3369......0.3515.0.3487......E70.......0.3376.0.3616......0.3207.0.3462......0.3222.0.3243......0.3366.0.3369......E80.......0.3205.0.3481......0.3028.0.3304......0.3068.0.3113......0.3221.0.3261.............CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.463.0.42.0.00258.0.00137.57.17..3000.0.44.0.403.0.00278.0.00136.53.1..3500.0.409.0.394.0.00317.0.00139.52.58..4000.0.38.0.38.0.00313.0.00134.54..5000.0.346.0.359.0.00274.0.00118.59.37..6500.0.313.0.337.0.00223.0.00095.58.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\F28C57DF\B65B8ED4\chart_cie1931w.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 663x654, frames 3
                                                          Category:dropped
                                                          Size (bytes):52016
                                                          Entropy (8bit):7.671803743250698
                                                          Encrypted:false
                                                          SSDEEP:1536:HQeswjrRRDzYtzY04Q1lIeSqDye7R6CvZJz+75:wbwjrRRDzY1Yjq7SQ7RjvZJzW5
                                                          MD5:5A5A18D04A1E20512F32E8C21F286E4A
                                                          SHA1:5193582C703AFCB9FFFB84C46B6837BBE9026BE0
                                                          SHA-256:827E3E67CD174BBA9A30FB11F0E0419DA0384B84CCD2050E6246701B505FAEF9
                                                          SHA-512:DB5B18AA3358736EED43F9EE3F3284AB15DFA22606FFBB7CD278036BAD380F91F8FFD1F07AC2CB6D7AE4C879E7369716A61E3EED85AEBF09B742811172107434
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..4....j..i.)....gkxf..#,v+..@.&.....]{V...x........k.j.]8...9.3..p1]/.#..?.o.......h....%.........k.h........C.....X..G.#..?.o.......k.h..*...w.........c......`........,o.U..<......7.......4.
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\F4ED2515\3EF45B9E\ANSI_2011.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):881
                                                          Entropy (8bit):4.0063232350310995
                                                          Encrypted:false
                                                          SSDEEP:24:cGIV0UVuKaZuTAQaQubrOcHge3vQTDVz6y:eVzVudZuTOQublB/W1z
                                                          MD5:ADDCFE247A6E035209CCCBD99F699EA1
                                                          SHA1:764AD762AE4E1A063F57C2C8E2D18AB0DC5141EA
                                                          SHA-256:505C3D93C19A8C64D5131AB94E1CBD77BDA4EF1A1B7187D731510C2CB5DFD3A6
                                                          SHA-512:9A77CF8974BA731D8436C9E1F4B0B1D8990B8733BE86A26566808AD134B1B0E6EB4A599CF7AE7037BCD8878906548310F7686A024DD88DB7E507CB983DB97C55
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377-2011.......E10.......0.4811.0.4315..0.4561.0.4259..0.4373.0.3892..0.4591.0.3941..E20.......0.4561.0.4259..0.4302.0.4171..0.4149.0.382..0.4373.0.3892..E30.......0.4302.0.41713..0.4003.0.4034..0.3895.0.3708..0.4149.0.382..E40.......0.4003.0.4034..0.3737.0.3879..0.3671.0.3583..0.3895.0.3708..E50.......0.3736.0.3879..0.355.0.3752..0.3514.0.348..0.3671.0.3582..E60.......0.355.0.3752..0.3375.0.3619..0.3366.0.3372..0.3514.0.348..E70.......0.3375.0.36169..0.3205.0.3475..0.3221.0.3255..0.3366.0.3372..E80.......0.3205.0.3475..0.3027.0.331..0.3067.0.3118..0.3221.0.3255.........CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.459.0.412.0.0027.0.0014.53.7..3000.0.44.0.403.0.00278.0.00136.53.22..3500.0.411.0.393.0.00309.0.00138.54..4000.0.38.0.38.0.00313.0.00134.53.72..5000.0.346.0.359.0.00274.0.00118.59.62..6500.0.313.0.337.0.00223.0.00095.58.57..
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\FC8C594\7AF51026\LICORC.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:08:07 16:10:55], baseline, precision 8, 424x389, frames 3
                                                          Category:dropped
                                                          Size (bytes):65664
                                                          Entropy (8bit):7.563574997001168
                                                          Encrypted:false
                                                          SSDEEP:1536:J3UYDQO5/EOYE+HZYS+up2wvGon6fR93oV:mk5JU5YS+uN+9s
                                                          MD5:A57E8C6BB8787217316ACE238BDFF43A
                                                          SHA1:03C311EF7213EF6219391E1DEE6BEE781C32B97C
                                                          SHA-256:C339438B62D436692A6363693799D818CEE49F043EDE20C7E06DF1E4947855EB
                                                          SHA-512:48CDF60EABA0BC8AF560E3B4E75481EE0EDCA7FCB763B63FD3298883676AA2E92936E537891DC48ED5230AD75AB48EEF3AD9395A40EF889FE74A03BEA42F271D
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................z..'....z..'.Adobe Photoshop CS5.1 Windows.2018:08:07 16:10:55..................................................................................&.(.................................L.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$...L..%......>.JN..s,?E.....De......$..J.s].>F.Y.S..ZI....IIRI$...I%)$.IJI$.R.I$......RI$...I%"........).w+..y..U7..s.%(p.(...i.?...Nl.~p....)..h..
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1340928
                                                          Entropy (8bit):6.677299856016359
                                                          Encrypted:false
                                                          SSDEEP:24576:89mKmMTfYBbuMNX9PnKMHxXgrptvZzDMbxBqSwY1raig5CUd1t:89mn1buMNX9yChIGbxUSwr57d1t
                                                          MD5:57C34F9689A69BE0C1CD7F6FF3FDA546
                                                          SHA1:54F0D3CB9693D8937AA93301AC66D25CDEA9B628
                                                          SHA-256:2C2095721E9E7B3CA68D08D5F3D6E0528B8BCED9A45CEA638CF4B8212E9B139E
                                                          SHA-512:01C95F082FD71DAD1BC686F37B7CA06724936B2E02294147EEBE384910809ADC8D802D89016CFA423C1181D531CE6C8D0AF4C95F633D8AE8D6AAD3B10C842F4D
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................|............... .....Q.........................0....................................... ..O.......|9.......Z...................@...............0..................................................^....................text...\........................... ..`.itext..x........................... ..`.data....L... ...L..................@....bss.....S...p.......F...................idata..|9.......:...F..............@....didata.^...........................@....edata..O.... ......................@..@.rdata.......0......................@..@.reloc.......@......................@..B.rsrc....Z.......Z..................@..@.............0.......v..............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\mia.lib
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1335758
                                                          Entropy (8bit):6.607116387652834
                                                          Encrypted:false
                                                          SSDEEP:24576:kKLeEbW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ5e:jLeEbasY6DwOBfrnvV7UeWtPe
                                                          MD5:2957FB70B1A610B54D98CC4FB2F8DCEC
                                                          SHA1:68319EBF22A4B7D3B52B2E1198CF61535D024E24
                                                          SHA-256:30B0CD1B04F0B39251614DB60C5F9AD7E98E4201B46CDF4C850942A14F03ECD0
                                                          SHA-512:873CCADABA7A9A639328B42360166BCC427C7298FF743829C3BE92F0FBD9EF8D000F64B799765EB80D42F8BFC5196BF1083752D33840359909E9DA740B15C489
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ad.. ... ... ....g.. ....q.. ... ... ...X... ...X... ...X... ...X... ...r... ...X... ..Rich. ..........PE..L.....8R...........!................3=.......................................P.......g....@.................................<...d................................,...................................................................................text...-........................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...............................@..@.reloc...J.......L..................@..B................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6156254
                                                          Entropy (8bit):6.3901059849449515
                                                          Encrypted:false
                                                          SSDEEP:98304:IBCWJvXmK0COmVbcEkT/THDXPaV0L8l4AWn1eyeHszH2OsP4PqyK13icjqsNTUja:IIWJfmK7cEkT/TuV0hZseHiFII
                                                          MD5:A94344CD648287F3BC40B538AF42190B
                                                          SHA1:97A112188EAA93633C88BB7087D021BB565DD232
                                                          SHA-256:1AFB50E204A6511B43D62B8ACF150E256921DF3B2A98046C2F7071377BB30FC7
                                                          SHA-512:A291392F131E37E08D1B6DD67E38D9318CB0C5F4C6B4F6F6EE847FE7E589160B763A3E578F0535A9ADFC016723CFC22F661029D3B2F05C2CD8E495D669C3AF07
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...T..R..................B..F........B.......C...@...........................d..................@............................E.nV...`K.......................................................F.......................E.......E.4....................text...4YB......ZB................. ..`.itext..p....pB......^B............. ..`.data...|.....C.......B.............@....bss....h|....D.......C..................idata..nV....E..X....C.............@....didata.4.....E......@D.............@....tls....P.....F......JD..................rdata........F......JD.............@..@.reloc...1... F......LD.............@..B.rsrc........`K......LD.............@..@..............b.......`.............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.msi
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.res
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:7-zip archive data, version 0.3
                                                          Category:dropped
                                                          Size (bytes):3902968
                                                          Entropy (8bit):6.223067831964042
                                                          Encrypted:false
                                                          SSDEEP:49152:5XHXAgwX91XhXWXbXRXVXgXLwXmJXFPId4xSSS/mlfQYSvpcbuMNXCSpA+xUS5ad:5CASSvWHv5e
                                                          MD5:EDA618F20514ECF18BB76A912EFDCA5C
                                                          SHA1:4C67E979C888877340DEAE91FAB10A47D34CC62F
                                                          SHA-256:35D753D12BAA6A54A74BCCF75D6F5803709E60239E1B7CBD8562D683020A3D4B
                                                          SHA-512:30CE9317979416E40024C2CE5B6F3EF2B454118F9371F5C86948B659B98D8128D07902D3B524C389D6621B0027427DCACEEBBAF1D223A3A63D9818122FC3E952
                                                          Malicious:false
                                                          Preview: 7z..'.....W...;.............[......TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-180_Installer.msi
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):76728
                                                          Entropy (8bit):6.254581045679638
                                                          Encrypted:false
                                                          SSDEEP:1536:edjdN2c6vBVoJFLVbRv4e1R42TtHT/tNzxU:edNmVGFp9B1TtHT/tNzu
                                                          MD5:980ABD131E4B45DC8ED554D3EE0C2044
                                                          SHA1:B6041667248E9AD0CED547B33C16BF1D8A495661
                                                          SHA-256:0D75323B0EEFE651374099234B718DA70FE3C160D62BD73B49579CB07C4DDE4B
                                                          SHA-512:0429B94DD0871CB8EDB02DDDDEF2E5D21D22B09D96DCB1CF937E35B2D085742CEBDF121591902FD0A686078F9F241C5551892D1BBFC15E2B094D39BEBA159C5A
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.yW...........!...2.....h...............................................`......O$.............................. ...x............@.......................P......................................................."...............................code...'........ .................. ..`.text...l....0.......$.............. ..`.rdata..............................@..@.data....R.......N..................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1305600
                                                          Entropy (8bit):6.66768345397406
                                                          Encrypted:false
                                                          SSDEEP:24576:yIAaJZ7NOcdUT4OELlCRmLrxB4Swz+hLnNlAj4HdH:HcWgYfxSSwz4A6
                                                          MD5:511629FCCFB6C536A8F6FCBF4AA06401
                                                          SHA1:6931DE3FB845AF6CD30348108A98767268EF6200
                                                          SHA-256:65AD010679A748A7174ABE1C314E0F1AE78E7BE69DEC22F0357536F21399C68C
                                                          SHA-512:D51248F81789E8E2DEFB7B59E551B3FF705C8D8BB098AC66E7A4C7C9AF48855544BA44D6256F02052B6D525753A645E7EA601F421A5918446A231775F89E081C
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................h......\..............Q....................................................................O....P...5...P...T..........................................................................Y..H.......^....................text....k.......l.................. ..`.itext.. ............p.............. ..`.data....L.......N..................@....bss....PS...............................idata...5...P...6..................@....didata.^...........................@....edata..O...........................@..@.rdata..............................@..@.reloc.............................@..B.rsrc....T...P...T..................@..@....................................@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1050104
                                                          Entropy (8bit):5.617498652730841
                                                          Encrypted:false
                                                          SSDEEP:12288:uIId79EaUTvwieMozMEcOigSpuPMaLium:xIdqaWw1MsbTScP0
                                                          MD5:BE3C79033FA8302002D9D3A6752F2263
                                                          SHA1:A01147731F2E500282ECA5ECE149BCC5423B59D6
                                                          SHA-256:181BF85D3B5900FF8ABED34BC415AFC37FC322D9D7702E14D144F96A908F5CAB
                                                          SHA-512:77097F220CC6D22112B314D3E42B6EEDB9CCD72BEB655B34656326C2C63FB9209977DDAC20E9C53C4EC7CCC8EA6910F400F050F4B0CB98C9F42F89617965AAEA
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g9I.#X'.#X'.#X'.* ..!X'.* ..7X'.* ..<X'.#X&.Y'.* ..fX'.* ...X'...Y."X'.* .."X'.* .."X'.Rich#X'.................PE..d......J..........".......................................................................@.......... ......................................H...@.......pY...0..\m.......%...........................................................................................text............................... ..`.data... ...........................@....pdata..\m...0...n..................@..@.rsrc....`.......Z...v..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):921992
                                                          Entropy (8bit):5.698587665358091
                                                          Encrypted:false
                                                          SSDEEP:6144:EZtaKSpwmx5ATm/LC3fwf3OoU9xkYSr/mdBTRhKWIjsRP/1HHm/hHAM8i6r+LyIU:EZxSpwmxvL/f3vCN1PMaLi6rAyIQjF
                                                          MD5:30A0AFEE4AEA59772DB6434F1C0511AB
                                                          SHA1:5D5C2D9B7736E018D2B36963E834D1AA0E32AF09
                                                          SHA-256:D84149976BC94A21B21AA0BC99FCBDEE9D1AD4F3387D8B62B90F805AC300BA05
                                                          SHA-512:5E8A85E2D028AD351BE255AE2C39BB518A10A4A467FD656E2472286FEE504EED87AFE7D4A728D7F8BC4261245C1DB8577DEEEE2388F39EB7EE48298E37949F53
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..o4..<4..<4..<=.`<"..<=.v<...<=.f<)..<4..<@..<=.q<o..<=.a<5..<=.d<5..<Rich4..<................PE..L......J................. ..........j........0...............................0......p.....@...... ..............................,....p..lY......................XC...................................=..@...............L............................text............ .................. ..`.data...`>...0.......$..............@....rsrc....`...p...Z...<..............@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\1EA7FD63\B65B8ED4\box_feature.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2152x581, frames 3
                                                          Category:dropped
                                                          Size (bytes):155551
                                                          Entropy (8bit):6.411518614321463
                                                          Encrypted:false
                                                          SSDEEP:768:n/Tstz8ofLN4p+QaOZV4sprBPMCCWn1YyNKlz6J6J6aX6g+6J6JP696J6JsoK3:n/TY8ofZ4MQbesp9Djn1IlzbX8v3
                                                          MD5:BAE95521060E3A852BB0753BB15DE01A
                                                          SHA1:EE52EA3E495D25CF5D0795DDCC2D9AF710EC381B
                                                          SHA-256:983617EEF70FB3AD4BA79E652D15C7254D2CDA3D8C963F9B97AF9E850CCD1631
                                                          SHA-512:AB25284B9A81600F5850CAD8E7E1A9C18D150072DBBC53A3CE1F26A7EFA95980D786EF69E23BB5787F06DEBD0A4D26EE9368713994EED601774FA315CB39DB47
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....,Photoshop 3.0.8BIM.........,.......,........i.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.277092, Fri Feb 23 2007 14:17:08 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">20141009-2</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xap="http://ns.adobe.com/xap/1.0/". xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">. <xap:CreatorTool>Illustrator</xap:CreatorTool>. <xap:CreateDate>2015-12-17T17:11:43+08:00</xap:CreateDate>. <xap:ModifyDate>2015-12-17T09:11:49Z</xap:ModifyDate>. <xa
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):24576
                                                          Entropy (8bit):5.444427923348303
                                                          Encrypted:false
                                                          SSDEEP:384:8JZ8/zig4KI5XHhdq4Jrd6T0ZUi/WP0m1g5TkgCGDZaV55K6Z0MFVIZnJ96FkU6X:vBM53ZJrdJUi/WP31d/Gdo5KgLcnJkzg
                                                          MD5:971FA2980AB94A90B6A9A8385267E653
                                                          SHA1:FC739185177A85ED04B71C6A8D5FDFB72D919306
                                                          SHA-256:25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
                                                          SHA-512:6D905EC5FCEE1F8ED2870AF0714A6C630DE3E8D8611406486ADDA08ECFC1873BD57932ED73F42EF93E4F49D40FCED13CA5C1C99795E8C0CECBBE6B56327E1337
                                                          Malicious:true
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uc.uc.uc.ub.uc.....uc.....uc....uc....uc.....uc....uc....uc....uc....uc.Rich.uc.................PE..d....?L.........."......B..........d................................................-..........................................................(.......0.......................8...@q...............................................p..@............................text....".......$.................. ..hpage.........@.......(.............. ..hinit.........`.......>.............. ..h.rdata.......p.......@..............@..H.data................D..............@....pdata...............H..............@..H.edata...............L..............@..@INIT....b............T.............. ....rsrc...0............Z..............@..B.reloc...............^..............@..B........................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3431048
                                                          Entropy (8bit):6.400282478958549
                                                          Encrypted:false
                                                          SSDEEP:98304:ApT2oBS2w3Hp1SSx1Q2z1m6h9f8O30TjrZhdaNEzScif30g6vRpJuz1eyg9q44Ua:AxkQr0JnkTjrZh4jSJYZAqn+IgFyPne8
                                                          MD5:B24DF87B183ACE8FA4ED9D7504DDE689
                                                          SHA1:8C0439BAEE1E2E868A40D0FB524C535E8EDC9EAA
                                                          SHA-256:2B67C9E6F17A6E1DD56CB7F4F0D0A987475272355F758704B3CF1EB7A3E83BDA
                                                          SHA-512:E22ECBCBECE3F3594E8C66CDB17253E29A602512DFA20D80B5BECA4CF930DF83026374BBFFAB113C6A5F8CF83A1C60FE3188E14B87C1468C961FB6B693842197
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7..V...V...V....7..V....'..V.. *..V.. ..]V..u...V...V...U.. ..W.. ...V.. )..V..Rich.V..........................PE..L......M......................!......C............@...........................4.....T.4...@.....................................h........q...........N4......P2.....................................N..@............................................text............................... ..`.rdata...Y.......Z..................@..@.data...,........^..................@....rsrc....q.......r...<..............@..@.reloc......P2.......1.............@..B................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\3575565E\3EF45B9E\ANSI_2008.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):880
                                                          Entropy (8bit):4.024090783286004
                                                          Encrypted:false
                                                          SSDEEP:12:cykZUsywNgUhlC9SB1SzsQz3+WS+ineL85LAYr3DVJB4Rhby:cHWLSgU2HzOyieQTDVz6y
                                                          MD5:9A927231F267D229F8F1A82145D7B6B5
                                                          SHA1:3CCA3B1C9A43FD3D3E67C501BD0FC76BEA279C12
                                                          SHA-256:2692C10AC8F820DC79F297CF5375B5ECE84C04F9940ABC7575DBAA419E04F3E4
                                                          SHA-512:E8DBB142E0D1DC047307BBE0604383AF5ABC5B62A2DA0B13F07D59544324FFC745684A2E772E6CF9F1C8FF74B2E6AFD080879EA2DAD262D9EE887346143DD968
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377-2008.......E10.......0.4813.0.4319..0.4562.0.426..0.4373.0.3893..0.4593.0.3944..E20.......0.4562.0.426..0.4299.0.4165..0.4147.0.3814..0.4373.0.3893..E30.......0.4299.0.4165..0.3996.0.4015..0.3889.0.369..0.4147.0.3814..E40.......0.4006.0.4044..0.3736.0.3874..0.367.0.3578..0.3898.0.3716..E50.......0.3736.0.3874..0.3548.0.3736..0.3512.0.3465..0.367.0.3578..E60.......0.3551.0.376..0.3376.0.3616..0.3366.0.3369..0.3515.0.3487..E70.......0.3376.0.3616..0.3207.0.3462..0.3222.0.3243..0.3366.0.3369..E80.......0.3205.0.3481..0.3028.0.3304..0.3068.0.3113..0.3221.0.3261.........CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.459.0.412.0.0027.0.0014.53.7..3000.0.44.0.403.0.00278.0.00136.53.22..3500.0.411.0.393.0.00309.0.00138.54..4000.0.38.0.38.0.00313.0.00134.53.72..5000.0.346.0.359.0.00274.0.00118.59.62..6500.0.313.0.337.0.00223.0.00095.58.57..
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\36706E48\3EF45B9E\ANSI.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1004
                                                          Entropy (8bit):3.811029766434935
                                                          Encrypted:false
                                                          SSDEEP:24:cXRbzjOJi/CG1wwHPINYdBvmCQI9MSDVG:eRfCJi/CGVSY7x39P4
                                                          MD5:30638861125319A8EB54E0F75F953AD5
                                                          SHA1:8091B23543DE04CA3769A9C913C0AFAFD3191BC3
                                                          SHA-256:F6DFE926CECB9139750FC181961260E75817587C353BC525A7E018A2A571DCB1
                                                          SHA-512:3175EAFF7FF111EEBDE48459CDCEDBDD7927F3B0FFEE0B29B53A932F51007F19927E8448B4D31F31D0D95312273511C752E7DD0BC7634EFE212C578EC84DC3ED
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377.......E10.......0.4813.0.4319......0.4562.0.426......0.4373.0.3893......0.4593.0.3944......E20.......0.4562.0.426......0.4299.0.4165......0.4147.0.3814......0.4373.0.3893......E30.......0.4299.0.4165......0.3996.0.4015......0.3889.0.369......0.4147.0.3814......E40.......0.4006.0.4044......0.3736.0.3874......0.367.0.3578......0.3898.0.3716......E50.......0.3736.0.3874......0.3548.0.3736......0.3512.0.3465......0.367.0.3578......E60.......0.3551.0.376......0.3376.0.3616......0.3366.0.3369......0.3515.0.3487......E70.......0.3376.0.3616......0.3207.0.3462......0.3222.0.3243......0.3366.0.3369......E80.......0.3205.0.3481......0.3028.0.3304......0.3068.0.3113......0.3221.0.3261.............CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.463.0.42.0.00258.0.00137.57.17..3000.0.44.0.403.0.00278.0.00136.53.1..3500.0.409.0.394.0.00317.0.00139.52.58..4000.0.38.0.38.0.00313.0.00134.54..5000.0.346.0.359.0.00274.0.00118.59.37..6500.0.313.0.337.0.00223.0.00095.58.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\383E736B\B65B8ED4\square.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 36x36, frames 3
                                                          Category:dropped
                                                          Size (bytes):811
                                                          Entropy (8bit):6.8734786141017254
                                                          Encrypted:false
                                                          SSDEEP:24:cwbGo0XxDuLHeOWXG4OZ7DAJuLHenX3wwObZF0E9Et:cUfuERAmjk
                                                          MD5:6A90C8F2391DF1AE3A0D4EF59B144E6C
                                                          SHA1:4C751BECA130B036BC5607290444B50104CE262E
                                                          SHA-256:CDE14B0A2A6B19A94EA227306823CCB1AE3C6E12939EAC2204C27F74C28D09DA
                                                          SHA-512:DB46E0B830C1753E7BA7D24AC341E96CBED8E98A96C2F309A1A0A82BE445ADADCB2D03B0D4CE5D194C313E68A9D21CB858EE2E93CBB233239190B1F811AB7581
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................$.$.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(...(..=..~...6......E.E.............:(..h...(........D..........~...&....................................O.........g.........c...t..?.{..u?.................0Asz..L...Nv ..(....
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\409F08AF\B65B8ED4\box_information.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 1396x416, frames 3
                                                          Category:dropped
                                                          Size (bytes):22296
                                                          Entropy (8bit):6.223707808164865
                                                          Encrypted:false
                                                          SSDEEP:96:cAoE6DTpFWFWFWFWFWFWFWFWFWFWF18Z+Z+Z+Z+Z+Z+Z+Z+Z+Z+ZKgngngngnw93:FopYkkkkkkkkkkIQQQQwGfo
                                                          MD5:AAB4F09BBF6A3AE3E9A95E32958BA66A
                                                          SHA1:9D20AC06988DF7B9872B7CFBC39D8BC90CFB7532
                                                          SHA-256:1549FF975A60DBE53F63D8B977FA43AC1059E96AC2FFA0E0EF311726898ECE70
                                                          SHA-512:D4FF44288413D19BC487133B8E9CEADC8223B64836EB69C6994FCEF28D23FD43E6AA9B6E62F2634AE41CD1471904E28FCFEA0710C6D254B17E1361A8DC8CACC7
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.........................................................................t.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....o...x..v....'....?..s....p..p;Wu...............~....D.9..o?.S-zu.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\44DB77AB\7AF51026\LICOR.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:08:07 16:10:23], baseline, precision 8, 424x389, frames 3
                                                          Category:dropped
                                                          Size (bytes):55788
                                                          Entropy (8bit):7.406277105755755
                                                          Encrypted:false
                                                          SSDEEP:768:wjlNHlM3wYyUD6bOu8/Psvvm13GZ7I8fZgnpM89UUWnuY:p3wYDQO5/Ev+1WDfZ9893oV
                                                          MD5:4A482C8F0C46BD5D8C3D6739AD1BC7C8
                                                          SHA1:E543A7289D861A0F9ADD6B33ED1D837AC89FCBA6
                                                          SHA-256:FB2BFC19FBA5DA463FACE6D76EFED53CB1A2F307D3E9C5BED8E7D11B8BBFE2D1
                                                          SHA-512:7F910843D036135070DA2F14524F628C2CE3EFE9A1AEB0DAD1DB63578D1A55C7ED25E573E1A15568A253FDF51D0339423A127703DDAF2EFAC55D2B0E701696DE
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................z..'....z..'.Adobe Photoshop CS5.1 Windows.2018:08:07 16:10:23..................................................................................&.(.................................Q.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$...L..%......>.JN..s,?E.....De......$..J.s].>F.Y.S..ZI....IIRI$...I%)$.IJI$.R.I$......RI$...I%"........).w+..y..U7..s.%(p.(...i.?...Nl.~p....)..h..
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8981
                                                          Entropy (8bit):6.952810377972559
                                                          Encrypted:false
                                                          SSDEEP:192:6IKsjkeBneIyCNECwnVhjeyveCtAW5LfsxhQ8tsU:1KskI/w/jpvjAGLa3t/
                                                          MD5:FC43EB094C0074FCD29ADC9A742371D9
                                                          SHA1:21EA184EB636E45550BD6A18CDAF08AE19DDD776
                                                          SHA-256:993B957EB5EAC489092B25A51473CE9B4BC49835673999BC4A95440318194D8A
                                                          SHA-512:6A1ACB42C8A6A18E956431F62A89E3BFCC3484683C2934358ACA50D3FCB42D7FD244625C39D78B4983050BE26B9C5114AB53E41DB429B56BC336D33A2B4B3380
                                                          Malicious:false
                                                          Preview: 0.#...*.H........#.0."....1.0...+......0.....+.....7......0...0...+.....7.......D9.NN..........110131175223Z0...+.....7.....0...0....R1.8.A.8.0.D.E.0.C.F.D.5.2.1.0.E.9.A.3.2.5.C.7.2.B.1.2.4.0.B.4.4.2.F.B.4.F.4.2.2...1..c0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..............!..2\r.$.D/.."0....R3.0.2.3.5.5.2.1.E.B.3.1.4.1.4.6.B.1.F.D.7.1.B.6.7.F.3.C.E.7.D.9.2.0.E.2.6.6.8.D...1..[0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........0#U!.1AF..q..<.. .f.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):17408
                                                          Entropy (8bit):6.017219183396955
                                                          Encrypted:false
                                                          SSDEEP:384:Hb8p/BVUEZg4exDJKDYh3jOB2raIc15FdIq+m:mcdY0h8GaIudB
                                                          MD5:812318F3E7BD682E1C22F0B707F66E82
                                                          SHA1:AA17A293AEC2BF1239779A8D439F84B2602D76AD
                                                          SHA-256:9B4C47FAA4BD6F22E75CF8430BAC37E48108C35B6737850E583EFDC37C4D8A81
                                                          SHA-512:961BF96B873E269AD566B33243DF872D989AAB6EB51E29CC984D26BCCC331DDB60B45B301C2FD13D9F5E10BC26CAEFBD948D305D35EBAA22515453A3CD57CFD5
                                                          Malicious:true
                                                          Preview: MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................>...z...z...z...z...J...#.......]#..{...]#..}...]#..{...]#..{...]#..{...Richz...........PE..L....?L.............................8.......-...............................D......................................1......D8..<....=..0....................A..4...P................................................-...............................text...L........................... ..hpage....x........................... ..hinit.........-.......-.............. ..h.rdata.......-.......-..........
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14592
                                                          Entropy (8bit):6.033771703962439
                                                          Encrypted:false
                                                          SSDEEP:192:+Dj6z0KomA4LWbM09xLu+YMJpJ7CBMS8iCtSRGb2T+OuT+evhuj4tmkG:+Dj6zHAqW2XwFCjRjyHyevdm/
                                                          MD5:599F3715602F4CB09AD0FDC606E3B9D9
                                                          SHA1:659F9A1CF662260F3FB197E6FE3592922014E831
                                                          SHA-256:589FEA41EF48ACD9F0FC54AB25A430E5627D17E8EC3C950F3C5CB71C348E9B8D
                                                          SHA-512:56E55D7FD6330E2BBE60BD79D7502E22CEDC9F448982C54E9C924BD57B3C0741E634883435BA4621DB80852D7F47A081FA4FA4302217BFB4BF87558F7EC233BB
                                                          Malicious:true
                                                          Preview: MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.........................................................................................................................................................................................................................................................................................................................................................................................................T.Q.:.Q.:.Q.:.v.G.R.:.v.A.S.:.Q.;.}.:...).V.:.v.W.T.:.v.T.T.:.v.F.P.:.v.B.P.:.RichQ.:.........PE..L...}.?L.................+...................+...............................9.......Y......................................D...d....3..8....................7.......+...............................+..@............+...............................text............................... ..hpage....~........................... ..hinit.........*.......*.............. ..h.rdata.. ....+.......+..
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\587D056C\9426740A\CHK_20131028_165820.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Microsoft Excel 2007+
                                                          Category:dropped
                                                          Size (bytes):8720
                                                          Entropy (8bit):6.701734712242596
                                                          Encrypted:false
                                                          SSDEEP:192:8RuQ59v4QSpEeUWb2CAvib49uOHbYJy8Wn:O5l4QSpNJb2CAve49xHbr8A
                                                          MD5:BFC68AF73FFA1AA121D292B61E6EEE17
                                                          SHA1:A45A0D6C4CC9571BC9DB1E5984EB42BA467A61C1
                                                          SHA-256:857F749226E477CD880AD1EFC5CFE90F819CA7187E3E229C341FC892F516BB62
                                                          SHA-512:1CA0F915594FBD9359A301852DB87FC62C29D7C27513A35BBD314106BA3DC58331D60DAC875F29ECCC642CF34C9D4BD5E2D79122D7B278E1FCB4251F879741C3
                                                          Malicious:false
                                                          Preview: PK..........!.q.9+p...........[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MN.0...H.!..%n...j..?K......c[....g...P.T...DQ4..f..|[.d....9.g#...Ni.....Cz....*a......|v~6}.y...-...p...J`.<X.S.P.H.a..+..>....t6..i.5.l.D..V.,D..."..5<....qFz,.m.k..."Rr...k.BKPN.+.....Z..j.qg..[.. ....2Y+.w..B.ML.D.....q.}...i.K...]?.w.Vo.NM...UB.}.%..-...i..@.\.J=IB.....i...1"o^......A..AG....c.....,E.....R'?._...r.M...?.....;6.7..........PK..........!..U0#....L......._rels/.rels ...(..............................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\609B42C1\B65B8ED4\box_feature_ppf.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2152x498, frames 3
                                                          Category:dropped
                                                          Size (bytes):139076
                                                          Entropy (8bit):6.441878302402045
                                                          Encrypted:false
                                                          SSDEEP:768:nFJstzSYvn58tludWBaUVvef9YyzH+HRXPKX+HRgH+HlgPKw+HRgH+RPKUPn:nFJYNv2luEBaWmf9H45I4e4lOj4eKdn
                                                          MD5:13BC7A5820F748A41E20452055D323A5
                                                          SHA1:CA4D14E7B696A27A8D607AB390C056AAD8D47A45
                                                          SHA-256:1C16416D81D5078A524B0DCBAFFD9A74A6DFB01E694A27B9C43EA1DAAC3AA03A
                                                          SHA-512:2E60EC4AD6A9B9B6204BFE9046555FABF683C95CDF81168F15DB06FEC1B2782250C5FBA17B4B2269F2D6776609D3AD372E9658CB1BE3E6AB16BF8BCA0F768C68
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....,Photoshop 3.0.8BIM.........,.......,........|.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">20141009-2</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/">. <xmp:CreatorTool>Adobe Illustrator CS5.1</xmp:CreatorTool>. <xmp:CreateDate>2016-05-03T14:13:19+08:00</xmp:CreateDate>. <xmp:ModifyDate>2016-05-03T06:13:23Z</xmp:ModifyDate>.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\655BFA89\B65B8ED4\LI-COR-logo.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=12, height=684, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=3447], baseline, precision 8, 800x158, frames 3
                                                          Category:dropped
                                                          Size (bytes):87232
                                                          Entropy (8bit):7.76374401337514
                                                          Encrypted:false
                                                          SSDEEP:1536:bYczYcIalM6o5JJtLgDjnRG1fvAHDlwivG/wIqZ:bLpzoX4jnRG1fIhwiv4qZ
                                                          MD5:76FB5E4E25D73167940320BD69523801
                                                          SHA1:6EA73FD9F333AED01255690D5704FC031AD14D96
                                                          SHA-256:A4C401598FA51A19AD762520C3D217B8C4D0A7626B169C6A60B2126A7E53FE9E
                                                          SHA-512:9CD93A5CE8429490D47E50FA86DC2C18D167AA1AF9716AAB079D627A6DD1AD35EE388DABC25EA27C3C2B768F82FF17FDDBF10B24A140C252F67DC19325212D6F
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*...............w.......................................................................................(...........1...........2..........i............. .........`..'....`..'.Adobe Photoshop CS5.1 Windows.2018:05:24 13:40:11.............0221....................... ...........................................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d................................................................................................................................................. ...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..U.,elu.81...{....s.~.Z......0tLg{.......k......9o...z..#.b...X.e.(...x.....l.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\655FCA3B\B65B8ED4\box_basic.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 646x416, frames 3
                                                          Category:dropped
                                                          Size (bytes):9428
                                                          Entropy (8bit):5.6390537195983566
                                                          Encrypted:false
                                                          SSDEEP:192:c6yVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVMVUrVUrVUrVUrVUrVUl:hyVVVVVVVVVVVVVVVVVVVVVVVVVVVVVK
                                                          MD5:D6BF0E1638C32635B4B0E330DD4DA28E
                                                          SHA1:92B2747EB2E1DD1907697B4B40AA139448F4A653
                                                          SHA-256:5950D7AA6792FCDE26529D5C213954C33441C783C4DEEE2283AAA4998AC6EFE0
                                                          SHA-512:5140109E879C83EE9F7BD0D014D5004823155EB0E080DCED2FF10355C2A03E513318FCC83A610BDC55EAB00554CD0ADB6B1A909C50121809EC2A7116BF08EF40
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......a...?e.....^....u......J..3e........8..z.............{...?G..O.L.........5..._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\67ACD331\98FBEBF9\Reference Spectrum.xlsx
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Microsoft Excel 2007+
                                                          Category:dropped
                                                          Size (bytes):34235
                                                          Entropy (8bit):7.799348435900692
                                                          Encrypted:false
                                                          SSDEEP:768:VXOQ5UiKo1zFbU9ZnApNIBZiQLmNI2e6vWRJFu3D7:VXiiKo1zFbU9ZA/IHi0mGz6vW/FaD7
                                                          MD5:C06B8A0334EF85F888F3DBC85669C3FF
                                                          SHA1:CAE0D2805B7452816D5CAC7C7A6B621EAC5E3F7C
                                                          SHA-256:E04ECF261F03F9168CD85B6FA025AC57917CD44B713B1A8D530B20C446C1211F
                                                          SHA-512:70F83D59F1496B16CA45C60A7E1C24A0FA526E1424FE6CBA0FAA4DC43033BA5B7B52C9C015F3EBF0475B9624C41C3A2FEF43CAA1BF76A4AF66ED0B2D0E7C22E6
                                                          Malicious:false
                                                          Preview: PK..........!...4v...........[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.n.0..W.?D.V..CUU..].-...L<!..my....IRP.h$.......%...."..21J."..{m.*......H....z........f.......f.$.ORb^B.0...?)|...e\..Z.....d.......b2~.Bm,%.;..*Y.'.....*.*.krE,Tn..C2.Ear.>.T..b..4..T.4D.q.Dl....?.t4......*f.;+..@{......F...io.{S..mA..g.`.2k?.Ly....&`.Cwv.|..^z..v*u..J.w.}..\.Y..%.......A..CB$....qs.k.MmQ6..-<....+......._.........G.|.....g6 ...........PK..........!..U0#....L......._rels/.rels ...(......................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\6B339451\B65B8ED4\chart_criw.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 674x635, frames 3
                                                          Category:dropped
                                                          Size (bytes):27880
                                                          Entropy (8bit):6.875985710971225
                                                          Encrypted:false
                                                          SSDEEP:768:TToaGXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgJ8bXm:TsaGQQQQQQQQQQQQQQQQQmb2
                                                          MD5:D1A53D4B64F05A2871B04470C035F9D9
                                                          SHA1:BF0CD7A2DC6707C59D3038CC40A3F34F8629A240
                                                          SHA-256:FC9B2EFF24902D0408371AB727507F7C53F805038D340792D00D906E88E4AED5
                                                          SHA-512:5A9DFFB0AC796903E6E04B388C253F8234A2E86FDDA2FD5ACE230C6D3405DEF0F54C726DF81A2C862750F60BF497F35DE503EA0D4E430015674B15BC29DE8C4F
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(......m/....h...4.._6.1.v.#u...>e.......'.._.......U....o...?.?u...h...[.a..B..O.....Z(..........._.v..e....,.........U..<...o...?.?u...h...[.a..B..O.....Z(..!~.....?...R...{g.\.A/.[d......8 pF(.y.7.:.<..J..}..mq<.n.].<J.p$.d....J....$.._.......G.o.%.....5...J............_.v..e....,.........U..<...o...?.?u...h...[.a..B..O.....Z(..........._.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\6B481F13\B65B8ED4\cie1931.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:05:23 17:14:42], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):350390
                                                          Entropy (8bit):7.157320861579299
                                                          Encrypted:false
                                                          SSDEEP:3072:u3OzT+4vPqniUMWkPnMgZAWt9B2yxQ5FKIEaya4VsvSPcHNIjykqDY7oyZ5J1:jvPqiUMWkPMcBa5Fzn4kMcHNoHEyZ5X
                                                          MD5:38DFEBA72CD538D1256B67D2BF8FAE0C
                                                          SHA1:F8711D63148468FD8D712599342C504A0D1D3B72
                                                          SHA-256:FCFB2D1F9E427F3F1B8ED33B377D0493A0B9F0C7B5172C13DAABABD1F0086B9C
                                                          SHA-512:EB9151D05FE8FA3D3001581C276A802CAE768CD34A0F77FBFED9D44872BC41BA1D9C18625C2FBA24D625447B4769356F45E375927C3619BFA11E3A5F31109E81
                                                          Malicious:false
                                                          Preview: .....GExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2018:05:23 17:14:42..........................@...........@...........................................&.(.........................................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.ini
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):269766
                                                          Entropy (8bit):4.17943553746763
                                                          Encrypted:false
                                                          SSDEEP:3072:uukCl9EIczUzZz+zrJZzU7ugHJ2L30fNy7IrwnN5ME+siFGV9q88YFUn8fS5cP/1:vXF8tV
                                                          MD5:6B5601074757D38741CE5675B76388CB
                                                          SHA1:A10E15E42235C7910BA7241A5415E6426943D947
                                                          SHA-256:BD4B17BFFC964B105918140E2B15AF0C29292ACBFFB06E568E1269361B99F9DB
                                                          SHA-512:311E71E2570A5C39BF7C85573F11DDB449518413679BDC1219BF4D36239E7142053EC3D7B96A5359C1B25BD20744F3C6D0F24E94981EC297671100B57BA7EAFE
                                                          Malicious:false
                                                          Preview: ..[.C.H.T.].....B.A.S.I.C._.S.E.T.U.P.=.._...j..yr._<P-..[....B.I.N._.S.E.T.U.P.=.B.I.N.yr._<P-..[....B.i.n.E.d.t...C.a.p.t.i.o.n.=..}/.hV....b.t.n.C.o.n.n.e.c.t...C.a.p.t.i.o.n.=.#..}....b.t.n.C.o.n.n.e.c.t...H.i.n.t.=.....b.t.n.D.a.r.k...C.a.p.t.i.o.n.=..f!hck....b.t.n.S.e.t.t.i.n.g...C.a.p.t.i.o.n.=....|.T-..[....b.t.n.D.a.r.k...H.i.n.t.=.....b.t.n.D.i.s.c.o.n.n.e.c.t...C.a.p.t.i.o.n.=..e.}....b.t.n.D.i.s.c.o.n.n.e.c.t...H.i.n.t.=.....c.b.B.i.n.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.C.h.k.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.C.o.u.n.t...H.i.n.t.=..}..!kxe....c.b.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.L.o.g.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.L.o.g.I.n.t.e.r.v.a.l...H.i.n.t.=..}...v....Bf......c.b.L.o.g.I.t.i.m.e.C.o.u.n.t...H.i.n.t.=..k.fIQBf...}..!kxe....c.b.L.o.g.I.t.i.m.e.E.n.d...H.i.n.t.=.P}_g.v.fIQBf..<P....c.b.L.o.g.I.t.i.m.e.G.a.p...H.i.n.t.=..fIQBf.....<P....c.b.L.o.g.I.t.i.m.e.S.t.a.r.t...H.i.n.t.=.w..Y.v.fIQBf..<P....c.b.L.o.g.t.m.H.M.a.x.V.a.l.u.e...H.i.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\6DBFE203\342BBCE8\Cold.asz
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32243
                                                          Entropy (8bit):7.983643036707625
                                                          Encrypted:false
                                                          SSDEEP:768:FwZk43Try4rswSIWlZDbkP3PTVVzN7DlKe8pGY7eKIfi:FwK+yMswSbfDb07DzxlEqVi
                                                          MD5:AC1C8E08E905B7F2050F55295A054FF1
                                                          SHA1:76C174B7C484DE9691DE8F60E790222D1D5362D9
                                                          SHA-256:332EA0360575D993483B891C19DA9115342C8B207722C072E64F6D960BDA27E2
                                                          SHA-512:2F56A66363FB558760BB8BFC370EB5F6E3ECD3037FD6BA9763903BC0F1C420421FC55CA160EBA97A2772A49949BC649FBE66BA010C5BD456ED23DA88007052C9
                                                          Malicious:false
                                                          Preview: ASzf........Options.dat.7..x..Z..6.._`.y..gR0..dkm!.d..&i..../..^..;<.Dy..:....E.#rf8..8._........w.}.......k.^d.Y...Czj.&+.Cz\.....x...7.....w........fM..R......n~.......n..6Mql.g0....=.Uk..DPB...k7e...^..v\...$...f..6e}....+........j.=....E.H0.$D.I...D.kI.q$...>......<..D.jL.P....].~..@..&..Y...p...h.<;.m..CR8.1.c..yy.=1.{....iYv.#..80.....|.../!...J>&.2"E<U.{TM.-..'$Z.HR.!....h..&3.F....V.".?...vv..;0.....#...I...8..M.6Uc.T.b.7K..d5(...Br...h7m}\..1..&~....l.o...?.k.........-..XL......?....L.Z..GP ...+.'.|..4i..7y.....v.o.v.3.P..k.g..Bx\..9h-.tA.3..g.6m.V...=0..(..U..>3.|..m.1&.1m.WU./`d..6.].`_0.....>.....~...#....Q4..`.k..]................S.N....a>./.i.z.V.&...J...Ph.'.o.h.........I..@.-fP..........!..S.3..[......c.gYA..+e,=(.E..Vc{.".m~...x.Ql.._4BJI0.FD"9...9sXhSW.....*/g...:<...+b:k3K.....E.&p o.....,......z...{..H...L<G6....A..........L$[6.k..uM..z... .-YE.g.IM.......N:X..S.....}..@...^Q.9ct..q......".o....Q.3cX...V...L
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\7021623\B65B8ED4\chart_cie1976w.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 663x654, frames 3
                                                          Category:dropped
                                                          Size (bytes):49281
                                                          Entropy (8bit):7.677803253072959
                                                          Encrypted:false
                                                          SSDEEP:1536:HOz9vOQugFYu+r15YmntUPmng1hlWzqivgb50oVSLs6h9OTT+0:uz3FwxOPmg1GCSooLs6hM+0
                                                          MD5:4AE6C98119702AD8DBE19815759A9AD5
                                                          SHA1:DD6246D6C6A2606AAB9725156B6F3C6554670D60
                                                          SHA-256:948DC9829F0D27B461B7410CC20E42E8299FD9DC7CF29AD4C269133873A06810
                                                          SHA-512:2CD288A1E3FD13D44DD2C1F3B8D9ADEC9EC43231E71882CEBDF8D101DC1199018B20227E88B4B73310C019F26786D991CCB230E5D46340A913C5D0FB271B4DCB
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..4....j..i.)....gkxf..#,v+..@.&.....]{V...x........k.j.]8...9.3..p1]/.#..?.o.......h....%.........k.h........C.....X..G.#..?.o.......k.h..*...w.........c......`........,o.U..<......7.......4.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\7493ECCE\C0705257\CIEO.CFG
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):25871
                                                          Entropy (8bit):3.628876107565113
                                                          Encrypted:false
                                                          SSDEEP:768:tAqlIjLdNeBa/QlhO4erymyb2U2nCGqsjIogBLFenLwfl:tAqlI1NeBaolhOLrymyz2nCGqAgBLFeE
                                                          MD5:2ED1B9435809772B68294D38B962DE19
                                                          SHA1:ECE1D3D025626D350683E7070382F235FC9FE09B
                                                          SHA-256:67F5DF4714FB4E1D09FC592DDD4AC6B6FAE220B25F5CEEF7B1B538AA653FF465
                                                          SHA-512:175FD4219059AEFBC9EDF83359AEE72FC90E8A60048A6A11EBBE15B8F62F9981899D2827D791600998B4D67CC6C2703B4FAF82B520BA5411AE9247C44401BADC
                                                          Malicious:false
                                                          Preview: 401,380,780..0.17411.0.00496.0.25686571.0.016464427.0.25686571.0.010976284..0.17409.0.00496.0.256832415.0.016464184.0.256832415.0.010976123..0.17407.0.00497.0.256787756.0.016496404.0.256787756.0.010997603..0.17406.0.00498.0.256759747.0.016528743.0.256759747.0.011019162..0.17404.0.00498.0.256726457.0.016528499.0.256726457.0.011018999..0.17401.0.00498.0.256676525.0.016528133.0.256676525.0.011018755..0.17397.0.00497.0.256621308.0.016495188.0.256621308.0.010996792..0.17393.0.00494.0.256588798.0.016397312.0.256588798.0.010931541..0.17389.0.00493.0.256533573.0.016364361.0.256533573.0.010909574..0.17384.0.00492.0.256461702.0.016331288.0.256461702.0.010887525..0.1738.0.00492.0.256395126.0.016330806.0.256395126.0.010887204..0.17376.0.00492.0.256328554.0.016330324.0.256328554.0.010886883..0.1737.0.00494.0.256206027.0.016394531.0.256206027.0.010929687..0.17366.0.00494.0.256139471.0.016394047.0.256139471.0.010929365..0.17361.0.00494.0.256056282.0.016393443.0.256056282.0.010928962..0.17356.0.00492.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\774E815E\526B362B\LICOR-about.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 145x435, frames 3
                                                          Category:dropped
                                                          Size (bytes):12917
                                                          Entropy (8bit):7.841242072236601
                                                          Encrypted:false
                                                          SSDEEP:192:A+rZ8DyGZb+SvEEnb81eH1lJzjrFW/tUBHWTYrwwJpU8jDI0VRcYgVNJv2OsZEFs:rWyZbU8ATJk/2RDPfXfj7gYOej9
                                                          MD5:AEB44B1C85804C8574E0E56037233558
                                                          SHA1:1F115B2CCFF90DCD80DE33501BB2341827A65DAA
                                                          SHA-256:0D91511EC270698D449798FEAF766B1A3820CB659BC2E37C10B52F39D7046B17
                                                          SHA-512:347B732569F61C725355394724224063F759A430E71523F8C24CA19C041E67AC9402B6FE50C1056000CF9E36F94B7BC20D7F1891E67D2F002BD44AA0626DEF3F
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C......................................................................................................................@............................!.1."AQa.2.B..#Wu.$5q.....478RS....................................C........................!..1AQa."q...2....#Br....3S.R....6b.45T..............?....R.... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... %G>....)......q.O.....*...=....~..;'..hww...5*I.<.M.......\CemC.l....\.i$......rk.Nt...y.#d49v1i..Cd2...*.1..C......F...\ou^......6.?...}gm{}V.4.4..I'.y#}.6Ew..&5.eL.kZ4..:.)...8...z.*.K....z.F...,..V....5e.=k..C....].h.R.C.H.....0.....B....y.%.g.)......BY
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\8C4586D2\7AF51026\cie1976.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:08:09 15:30:04], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):304735
                                                          Entropy (8bit):6.764574393450863
                                                          Encrypted:false
                                                          SSDEEP:3072:U9qqfJ6k0lWHQD3N5i85cLpl6Dziokg5ZVpLe+BUMx8Ni07c/FXr25:eq+elWHQD9Cz6Dz13ty+Bhmc90
                                                          MD5:0C86034B78AC08E8EBF4751066FF4508
                                                          SHA1:9E2CF625C636D92524BBD3787C326CA0A411150B
                                                          SHA-256:B5426827E53E27D35BA83DE51C5367BA595AB1B22C2411E3B0DCBA31C6896886
                                                          SHA-512:C25574138EE7544958DA6FC1BEE3BC0C5495547CF04DE9AC39827E2340B58593897F5F2BEEB62F5A932FC95086AD833A92D9DDA52D83758BC86AC007ED00C29E
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2013:08:09 15:30:04............................@...........@...........................................&.(.................................r.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI$...I%)$.IJI$.R.I$...I%)$.IJI
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\9847A14B\B6D77E4E\ESPD_LI-180-000.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):7336
                                                          Entropy (8bit):4.207813795706626
                                                          Encrypted:false
                                                          SSDEEP:192:caWYFcBd/EL8XoWGUoN8y/kc6L4eexSZod/D0FiMwX6:ckICL81LoN8IOeoYD08MZ
                                                          MD5:75F5F0228EF83924EDAF8B5AA0DE93F9
                                                          SHA1:A34DEB51928DDA684CEB73B267831E5D2832A591
                                                          SHA-256:EE507AACFCA46227BE426667327F5F65432AB3EAE545619B7B05583EB95AEFA8
                                                          SHA-512:0949B79F2FF3A24CC3F2F807017FBF09F3393AC11BB46B52F5310609F0F4B31F7DB972E451CD404119806B2F376C9476C5E5BD26EA60A75030A0BC00E2A70BAD
                                                          Malicious:false
                                                          Preview: Model Name.LI-180..Serial Number.C16M0094..Time.2018/06/07_18:36:47..Memo...LUX.551.286071777344..fc.51.234764..CCT.5279..Duv.0.002312..I-Time.810..x.0.337865..y.0.350262..u'.0.207044..v'.0.482941..x10.0.344416..y10.0.343235..u'10.0.214256..v'10.0.480423..deltax.0.000138..deltay.0.004687..deltau'.-0.001705..deltav'.0.002342..LambdaP.449..LambdaPValue.14.203784..LambdaD.564..X.531.774719..Y.551.286072..Z.490.864868..S/P.1.821943..Purity.0.064435..Pct Flicker.0.000000..CRI.72.959000..R1.71.421402..R2.76.906075..R3.79.229408..R4.73.710800..R5.71.450272..R6.67.357368..R7.81.994560..R8.61.602081..R9.-16.864355..R10.43.786861..R11.69.502899..R12.42.744762..R13.71.495804..R14.88.912788..R15.66.517227..CQS.71.641174..GAI.81.695618..TLCI.50.887054..Rf.70.698936..Rg.94.557259..PPFD.7.529354..PFD-UV.0.006745..PFD-B.1.763472..PFD-G.3.702757..PFD-R.2.114594..PFD-FR.0.278020..PFD.7.806673..IRR.1.697261..380nm.0.099609..381nm.0.099624..382nm.0.100046..383nm.0.101189..384nm.0.101241..385nm.0.095187..3
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):19456
                                                          Entropy (8bit):5.5838184446755195
                                                          Encrypted:false
                                                          SSDEEP:192:2fW3/zOHLiVaL/qqPhh0m1ooaJOz6CXPaxEL+GIn0alGalILp/JSUJj6jLfJv19U:2fW3LOHLdLCI0m1Xz3fW01alInS1LFv
                                                          MD5:CEDF7CFFCCD03451FD22DBAAC2E3DE8E
                                                          SHA1:3FD8383608DB769A1E2C8E0C1302C315DCA8B37E
                                                          SHA-256:A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
                                                          SHA-512:BBA0BF8C75E5A1B1AFC72F5B5A33CACA721DBB4589DE7B3430398AE147E2E2CF18A15932DF62D32423B1093453B55B48B9E99FB7549135E3CF33976229C47376
                                                          Malicious:true
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#d..g..g..g..n}w.e..g..B......b......e..n}g.d..n}q.f......f..n}n.b..n}p.f..n}u.f..Richg..........PE..d...A.?L.........."......:..........d...........................................................................................................P.......8...........................@a...............................................`..@............................text............................... ..hpage.........0...................... ..hinit....U....P.......6.............. ..h.rdata.......`.......8..............@..H.data...0....p.......>..............@....pdata...............@..............@..HINIT.................B.............. ....rsrc...8............H..............@..B................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\AD9FE403\7AF51026\GAI.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:11:20 16:36:56], baseline, precision 8, 394x472, frames 3
                                                          Category:dropped
                                                          Size (bytes):36337
                                                          Entropy (8bit):6.764811903181098
                                                          Encrypted:false
                                                          SSDEEP:384:gKibD1sWGibD1LnE3rvkPYNg707osesesesla:gKvWGAE3rvkPYy9sesesesla
                                                          MD5:F6A740B37593A25B3303F21BB5C79123
                                                          SHA1:E84EEBD8AD1C57D3EA08C6A838816FFC041971B4
                                                          SHA-256:5D44CEB519861E072FCDEAEE1D3530FA59D573AA5C80BFE06C39BA83AEE7CEBC
                                                          SHA-512:8B7F40BBED567DBC12F273B384B3C6D0F0F27CECFFE8FB6F8E59E27C91A21865AE972E722D1473660857A10048D26E3D9E4D79417E67245ACC86508DF4C1CA7E
                                                          Malicious:false
                                                          Preview: ......JFIF.....d.d.....oExif..MM.*.............................b...........j.(...........1.........r.2...........i................B@..'...B@..'.Adobe Photoshop CS3 Windows.2013:11:20 16:36:56....................................................................................&.(.................................9.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$......RHq._2....y......?..I%.)|.V{..\...9......I/.K.R..............RI|._2....W...G....
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\B7ED429E\E1510A13\setup.ini
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):639
                                                          Entropy (8bit):5.225501775126988
                                                          Encrypted:false
                                                          SSDEEP:12:o4W7yQSuA5Q0ZAFXYFP3oZjAjwMphMpYNS75qyR910OUGyy:o4sSuASFFuPYZj2py2N0syR9apGyy
                                                          MD5:80DF0F8F1C0B01912035B8EDBEE3FCA4
                                                          SHA1:A375BB2019091745C5A65CFD6CCC13F3459395FC
                                                          SHA-256:2DCEAA5F2B3661B8BBFC8C3EB4C8AA9464D1A113C53375A0B23618CA32F98EAB
                                                          SHA-512:7C4FFBB64965074667987D88E740046DB9BD17916A6D6019EBBCAAD441A7AB07E88A29E9FB5BDF07C6F58AE19120935EBCD650D0F9B03DC3E969911181749002
                                                          Malicious:false
                                                          Preview: [Driver Type]..USBXpress....[Driver Version]..3.3....[Product Name]..Silicon Laboratories USBXpress Device....[Company Name]..Silicon Laboratories....[VID]..10C4....[PID]..EA61....[Relative Install]..Relative To Program Files....[Install Directory]..Silabs\MCU\USBXpress\....[Install Subdirectories]..x86..x64....[Install Quiet Mode]..Off....[Uninstall Quiet Mode]..Off....[Copy Driver Files]..No....[Remove Copied Files On Uninstall]..Yes....[XP_2K_2K3_VISTA INF Files]..SiUSBXp.inf....[XP_2K_2K3_VISTA Driver Files]...\x64\SiUSBXp.sys...\x64\SiLib.sys...\x86\SiUSBXp.sys...\x86\SiLib.sys....[XP_2K_2K3_VISTA Catalog Files]..siusbxp.cat..
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\C3C84A4C\E1510A13\SiUSBXp.inf
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):5.224754517663399
                                                          Encrypted:false
                                                          SSDEEP:48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
                                                          MD5:BC384072A8A9F073B51EF98ACF303D5B
                                                          SHA1:30235521EB314146B1FD71B67F3CE7D920E2668D
                                                          SHA-256:0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
                                                          SHA-512:7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
                                                          Malicious:false
                                                          Preview: ; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\C9AB7ACB\7AF51026\cie1931.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:08:09 15:39:41], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):336534
                                                          Entropy (8bit):7.115911162455732
                                                          Encrypted:false
                                                          SSDEEP:6144:GI2tAK++2lUccb5UeseFVYp9WabwF+3bbveA:GI26Kl2lURb5UeseFIWabw83bbGA
                                                          MD5:A4EC7C5FA49097EA26788ECF321A50D0
                                                          SHA1:087058EFA3499B861E24C32A6EB5B86C86470935
                                                          SHA-256:CA503EF7FDD964353860C55ED9924F9F02434D07B2A075E8E477CAFBAEF195F1
                                                          SHA-512:91D99DF6CB4F2DF763C6F9CA59DE45AF3647142F371BFCE672519523285EF94F57403617EC37806F3E131E682925AC8AC12B2C381306C2E5BF5491FA98DD0260
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2013:08:09 15:39:41............................@...........@...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI;..`....x.v..MjVIoQ.p.a...a..Z........#...8.5.~m.sO...?.d..t~1...\...8
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D2758F69\B65B8ED4\cie1976.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:05:23 17:15:12], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):313463
                                                          Entropy (8bit):6.814020649307973
                                                          Encrypted:false
                                                          SSDEEP:3072:xzqzFaS2L8hls4H5oU4+6h/qeGVra2FA6nZqWTs9MRS:xzqzFp7ZoA11a2F/n1T3S
                                                          MD5:E6F16A7651B2C498F5506220CD24B3F7
                                                          SHA1:A1463B7A75A1309135F086CD026A334439EE624D
                                                          SHA-256:BC3CD3B0F623353B0067F670DA41E5639E2BF722954A67D3737E7CBBF39F6291
                                                          SHA-512:F66867FA36BA8BB34690FECACEB9FFB07E966B61D0994C19B5E1A1D637C7D3393E5B313C3F48FC03743E0E0F7BF998B9C3E51203F8160EA2C08CF87F425BC3AA
                                                          Malicious:false
                                                          Preview: .....WExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2018:05:23 17:15:12..........................@...........@...........................................&.(.................................!.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.LH.I..RR.(..&..'...
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):20469760
                                                          Entropy (8bit):6.646788174507154
                                                          Encrypted:false
                                                          SSDEEP:196608:r4Z+O+3MQUGqcJ8g+QwA9Nst9zmJemKD:r4xJGOA/Ooe7D
                                                          MD5:4CB8BE08741CF33831104499F1240830
                                                          SHA1:ACE76BA4ECCA1A4CEA87CFA539F60E969258DBA9
                                                          SHA-256:26A4B2A211FF8078C7E232A1AE4290A92BD0DF171E5416CBC97BC3B4C3379681
                                                          SHA-512:37FEF919B225EBB1E78E36A91C3A2D1530B47F65B8226B07BB9A86AEFD1B0F7889EC05CB731EBE2AFD2B346456B3FE5AC7AC95682B788366F3C5977E2B1A4D26
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, Author: Joe Security
                                                          Preview: MZP.....................@......Pjr......................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L......`....................p......d2............@...........................:.................. ...................0..`....p...J... ....q..................@/..b...........................`...................................e...................text............................. ..`.data....p.......j.................@....tls.........P.......>..............@....rdata.......`.......@..............@..P.idata...P...p...L...B..............@..@.didata..p.......f..................@...
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D532E401\20073942\mdd_0.ttf
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:TrueType Font data, 15 tables, 1st "OS/2", name offset 0x30a0dc
                                                          Category:dropped
                                                          Size (bytes):3189464
                                                          Entropy (8bit):5.995760690515092
                                                          Encrypted:false
                                                          SSDEEP:49152:aKGJGTV0L61KRCn7GvLkNrxCQ4Skrrlh67iPFfR:XGJGR0L3k7AhrrltR
                                                          MD5:134EA9D05DB33ADF680B8440F715CCF9
                                                          SHA1:3122FD8759ACB7562A98F6349EF0E2E46A018895
                                                          SHA-256:70F760EE31BB569EC53E33B44A699643898DC8C65B3034E370953AFD1E63964D
                                                          SHA-512:C512C3F68EB90C5A6D78D2F00559A42CE492131F0CC6B18A5483B57E906793EFAFD25785F0836483214333AA9E77960DD6C6F32FC8292178644FC9E4D2B91A9B
                                                          Malicious:false
                                                          Preview: ...........pOS/2...4...x...`cmap.:.....\..r cvt ............fpgm.!Y....|....gasp.....0......glyf4..>...$.*.head.h.........6hhea...m...4...$hmtx............kern>.B..0......loca(..h........maxp.......X... name.*.^.0......post.....0..... prep...)...................._.<.................."m................................+.................................'........./.............................$.......z...>................).|.........1ASC.@.............D............... .....K.........C...E...g...................:...M...M...........@...R...E...`...........................................E...E...............m...........................~...........W...E.......~...........................................................N...`...N.......i.....1.........w...........T...........B...B.......B.......................f...t...W.......{...........}...q...[.....=.[.......E.......|.....&.U...R.......n.......U...U.....1.....E...5...U...Z...............m...................................................B..
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D83B2FF9\7AF51026\tm30image.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2015:12:30 17:35:06], baseline, precision 8, 800x800, frames 3
                                                          Category:dropped
                                                          Size (bytes):94892
                                                          Entropy (8bit):7.270988868597474
                                                          Encrypted:false
                                                          SSDEEP:1536:s8c3FL8w+sqCi2MhzmZRRgFwHXbGZC17CFIQTUH4dlqUtIeKFwWIQI5uDKRID:s8MF1hinpmZRR0WXqZC17CFV4YdcTeKX
                                                          MD5:628BA21B5C6B2759EAE8A66A6BE2C6C3
                                                          SHA1:349D8736B69DCBB1A0C58736B5006E19737D2144
                                                          SHA-256:871AF5869E6B0D8AAD4EE8B45AA02B4349FE0BFD35B0B6960DC7C177E33DB05F
                                                          SHA-512:70FDE4CB2C719F10B6B407FDB5453B2D7CD672F3FE3F8185CC86B988FC94A2680E8161E382DAF2C99F04ECA0654A6E1DB38FF0D41A672928FEC508E50649CBD7
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2015:12:30 17:35:06............................ ........... ...........................................&.(.................................z.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?... C..X.-.."....8Y.0....5..H.j.T. K..3j#T....e.9..Br.,.D.'".....x.r..\..8Y...nEr...f..!...NK../.........M...aD)..Y.6..A..K
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\DAA0442\526B362B\LICOR-start.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 600x360, frames 3
                                                          Category:dropped
                                                          Size (bytes):20110
                                                          Entropy (8bit):7.456114321529859
                                                          Encrypted:false
                                                          SSDEEP:384:NJ22ogJO6LBHPVzp7/C5Xy2bbd4632YQdkA4lliVhU:kgJO61NN0Xykbd4IQ2A4lliVhU
                                                          MD5:DB5050170386F50D5268871E82F8CF49
                                                          SHA1:269AD18CEC7382CE70192A9E9805324EE50889A9
                                                          SHA-256:C3242691970CAA16C3508D08309EEAEB38310AF944EB05CC51FD32ED31F9D14B
                                                          SHA-512:70C31CF3ECD273AB431F7A92BA7D44AC57ADF9B49B8C2A10C2A8180A26ADB6CE8BE156E2412336B1FC434C46381BB95BF1A98D682B26275A3F2433CE83AADBB6
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................h.X.............................................Y............................!1..AQa.."2368Vqrsu........7BWtv......#5b..$R..&C.DSTcw.....................................E.........................!1.AQq....234Ra......"STr..6...#Bb5...$C..............?..L....................................................................................................................................................................................................................................................................................................................................................................................$.&,...kz..."..g.Y..$y~..t..-4....t.rE..E3l...E.S5Dq@9.u..[...9A.d.7tk...O.....v................Q.E.o3...c....x..*.q...u./...>....].m.U...x..l.s..m.t..2i.<q.g.O...Q.u.nH.i.XD...-.g..m...7.....j})...
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):90112
                                                          Entropy (8bit):5.9593050226304385
                                                          Encrypted:false
                                                          SSDEEP:1536:EFrG2x+yr66sN/Cnj3sxacCtmkAdheNcief1n9JNABxojxiM:E1G26wjNtkT9JaBijU
                                                          MD5:8D32BE58B5F5BD7317628BF6BE577DB7
                                                          SHA1:C43BCE281CDB08C4B36D7C15B2817C901B75A9EE
                                                          SHA-256:4CB634E37C2622AFBCDDF706868F4E992DB59B7BBB6F99820EC636307F833C32
                                                          SHA-512:DB27E8DD5361424D98C4894B8D9163CE88A51F31F343C8474CCEB30C353EEBFBAD92F2A252B299E7E52B203CB69388E875CFE5680BBA36D7ACB807F955D0EC77
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I+..(E..(E..(E...8..(E...(.(E.?'...(E..(D.(E...+..(E...?..(E...9..(E...=..(E.Rich.(E.................PE..L......M...........!.................n.......................................p.....................................0.......l...d....@.......................P..P...................................8...@...............H............................text...E........................... ..`.rdata...7.......@..................@..@.data...$.... ....... ..............@....rsrc........@.......0..............@..@.reloc.......P... ...@..............@..B................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\E379E83C\7AF51026\CRI2.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=12, height=945, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=945], baseline, precision 8, 800x800, frames 3
                                                          Category:dropped
                                                          Size (bytes):317756
                                                          Entropy (8bit):7.8934485714815565
                                                          Encrypted:false
                                                          SSDEEP:6144:mbVolEvG4/Rkez+lh6MLh/kRG2x2yiQpWMJGzxBYDH:GolEv6ez+SY2vpgYDH
                                                          MD5:F41266D03391E18B49F781EC376AE02E
                                                          SHA1:776BD803EDA70C5463F595B670A17F1CBEC3045E
                                                          SHA-256:D6F4C7DF131CEB1357BF951E2AF27349A583D53500A9CA0D60BDF2F0202DE8D6
                                                          SHA-512:0D6D6D0B0F01AFE5585E7011F19ABE85305418819C8F319CF13E0CC1591C9A462E8388C5C3F9EEC4D8190C080BA69E075784047A9E9C1CF7CE96AAD22135FFA4
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.......................................................................................................(...........1...........2..........i............. .........`..'....`..'.Adobe Photoshop CS5.1 Windows.2018:08:14 11:26:55.............0221....................... ........... ...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.IX.....C....ql............l..i)......-f.G.[k....@.jn.l
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\E5444EFD\CD0E66BD\LI-180_Log_Example.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with very long lines, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):3750
                                                          Entropy (8bit):4.008741802403102
                                                          Encrypted:false
                                                          SSDEEP:48:+8OFBBLkDlmXEhePfniR+sZ5URhyfahrXp7zfBSLnJ+PnshS6CI+zRI7yjShRhxd:l0Rvni6RbpXfCnISCdnwX/JU9kwbC6He
                                                          MD5:6B725689715D05FF07DDD4446546AE98
                                                          SHA1:E6393831097644DA12EE0CEEFE2C4E3FFD60CD7E
                                                          SHA-256:6BFED87E667BACB00FB1BD98AC564E4A43A120679BE91378C485FEDD5D91A7FE
                                                          SHA-512:9C3A3D4632B9E0076F61966252480068B3343F709F5A923E84D70DEA2BAE21DD9500F4B6146B048F7092333BFDCE9B78EF4D79AB49BD8359FC5D572A6CFC80C5
                                                          Malicious:false
                                                          Preview: Model Name.Serial Number.Time.Memo.LUX.fc.CCT.Duv.I-Time.x.y.u'.v'.x10.y10.u'10.v'10.deltax.deltay.deltau'.deltav'.LambdaP.LambdaPValue.LambdaD.X.Y.Z.S/P.Purity.CRI.R1.R2.R3.R4.R5.R6.R7.R8.R9.R10.R11.R12.R13.R14.R15.CQS.GAI.TLCI.Rf.Rg.PPFD.PFD-UV.PFD-B.PFD-G.PFD-R.PFD-FR.PFD.Pct Flicker.IRR...LI-180.C16M0094.2018/06/07_18:38:57..543.148682.50.478500.5279.000000.0.002312.810.000000.0.337866.0.350264.0.207044.0.482942.0.344412.0.343248.0.214248.0.480429.0.000139.0.004689.-0.001705.0.002343.449.000000.13.986156.564.000000.523.924194.543.148682.483.612244.1.822421.0.064443.72.989456.71.441299.76.929138.79.267715.73.732475.71.476006.67.393066.82.017883.61.658089.-16.677534.43.856194.69.527214.42.825092.71.514412.88.933922.66.551353.71.674065.81.703079.50.969234.70.737282.94.565559.7.421987.0.007622.1.738674.3.647980.2.086047.0.279896.7.702174.0.000000.1.674243...LI-180.C16M0094.2018/06/07_18:39:02..569.244202.52.903736.5288.000000.0.002364.780.000000.0.337633.0.350170.0.206922.0.482862.0.34
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\ECC34BEC\3EF45B9E\ANSI_Ellipse.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1004
                                                          Entropy (8bit):3.811029766434935
                                                          Encrypted:false
                                                          SSDEEP:24:cXRbzjOJi/CG1wwHPINYdBvmCQI9MSDVG:eRfCJi/CGVSY7x39P4
                                                          MD5:30638861125319A8EB54E0F75F953AD5
                                                          SHA1:8091B23543DE04CA3769A9C913C0AFAFD3191BC3
                                                          SHA-256:F6DFE926CECB9139750FC181961260E75817587C353BC525A7E018A2A571DCB1
                                                          SHA-512:3175EAFF7FF111EEBDE48459CDCEDBDD7927F3B0FFEE0B29B53A932F51007F19927E8448B4D31F31D0D95312273511C752E7DD0BC7634EFE212C578EC84DC3ED
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377.......E10.......0.4813.0.4319......0.4562.0.426......0.4373.0.3893......0.4593.0.3944......E20.......0.4562.0.426......0.4299.0.4165......0.4147.0.3814......0.4373.0.3893......E30.......0.4299.0.4165......0.3996.0.4015......0.3889.0.369......0.4147.0.3814......E40.......0.4006.0.4044......0.3736.0.3874......0.367.0.3578......0.3898.0.3716......E50.......0.3736.0.3874......0.3548.0.3736......0.3512.0.3465......0.367.0.3578......E60.......0.3551.0.376......0.3376.0.3616......0.3366.0.3369......0.3515.0.3487......E70.......0.3376.0.3616......0.3207.0.3462......0.3222.0.3243......0.3366.0.3369......E80.......0.3205.0.3481......0.3028.0.3304......0.3068.0.3113......0.3221.0.3261.............CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.463.0.42.0.00258.0.00137.57.17..3000.0.44.0.403.0.00278.0.00136.53.1..3500.0.409.0.394.0.00317.0.00139.52.58..4000.0.38.0.38.0.00313.0.00134.54..5000.0.346.0.359.0.00274.0.00118.59.37..6500.0.313.0.337.0.00223.0.00095.58.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\F28C57DF\B65B8ED4\chart_cie1931w.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 663x654, frames 3
                                                          Category:dropped
                                                          Size (bytes):52016
                                                          Entropy (8bit):7.671803743250698
                                                          Encrypted:false
                                                          SSDEEP:1536:HQeswjrRRDzYtzY04Q1lIeSqDye7R6CvZJz+75:wbwjrRRDzY1Yjq7SQ7RjvZJzW5
                                                          MD5:5A5A18D04A1E20512F32E8C21F286E4A
                                                          SHA1:5193582C703AFCB9FFFB84C46B6837BBE9026BE0
                                                          SHA-256:827E3E67CD174BBA9A30FB11F0E0419DA0384B84CCD2050E6246701B505FAEF9
                                                          SHA-512:DB5B18AA3358736EED43F9EE3F3284AB15DFA22606FFBB7CD278036BAD380F91F8FFD1F07AC2CB6D7AE4C879E7369716A61E3EED85AEBF09B742811172107434
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..4....j..i.)....gkxf..#,v+..@.&.....]{V...x........k.j.]8...9.3..p1]/.#..?.o.......h....%.........k.h........C.....X..G.#..?.o.......k.h..*...w.........c......`........,o.U..<......7.......4.
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\F4ED2515\3EF45B9E\ANSI_2011.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):881
                                                          Entropy (8bit):4.0063232350310995
                                                          Encrypted:false
                                                          SSDEEP:24:cGIV0UVuKaZuTAQaQubrOcHge3vQTDVz6y:eVzVudZuTOQublB/W1z
                                                          MD5:ADDCFE247A6E035209CCCBD99F699EA1
                                                          SHA1:764AD762AE4E1A063F57C2C8E2D18AB0DC5141EA
                                                          SHA-256:505C3D93C19A8C64D5131AB94E1CBD77BDA4EF1A1B7187D731510C2CB5DFD3A6
                                                          SHA-512:9A77CF8974BA731D8436C9E1F4B0B1D8990B8733BE86A26566808AD134B1B0E6EB4A599CF7AE7037BCD8878906548310F7686A024DD88DB7E507CB983DB97C55
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377-2011.......E10.......0.4811.0.4315..0.4561.0.4259..0.4373.0.3892..0.4591.0.3941..E20.......0.4561.0.4259..0.4302.0.4171..0.4149.0.382..0.4373.0.3892..E30.......0.4302.0.41713..0.4003.0.4034..0.3895.0.3708..0.4149.0.382..E40.......0.4003.0.4034..0.3737.0.3879..0.3671.0.3583..0.3895.0.3708..E50.......0.3736.0.3879..0.355.0.3752..0.3514.0.348..0.3671.0.3582..E60.......0.355.0.3752..0.3375.0.3619..0.3366.0.3372..0.3514.0.348..E70.......0.3375.0.36169..0.3205.0.3475..0.3221.0.3255..0.3366.0.3372..E80.......0.3205.0.3475..0.3027.0.331..0.3067.0.3118..0.3221.0.3255.........CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.459.0.412.0.0027.0.0014.53.7..3000.0.44.0.403.0.00278.0.00136.53.22..3500.0.411.0.393.0.00309.0.00138.54..4000.0.38.0.38.0.00313.0.00134.53.72..5000.0.346.0.359.0.00274.0.00118.59.62..6500.0.313.0.337.0.00223.0.00095.58.57..
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\FC8C594\7AF51026\LICORC.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:08:07 16:10:55], baseline, precision 8, 424x389, frames 3
                                                          Category:dropped
                                                          Size (bytes):65664
                                                          Entropy (8bit):7.563574997001168
                                                          Encrypted:false
                                                          SSDEEP:1536:J3UYDQO5/EOYE+HZYS+up2wvGon6fR93oV:mk5JU5YS+uN+9s
                                                          MD5:A57E8C6BB8787217316ACE238BDFF43A
                                                          SHA1:03C311EF7213EF6219391E1DEE6BEE781C32B97C
                                                          SHA-256:C339438B62D436692A6363693799D818CEE49F043EDE20C7E06DF1E4947855EB
                                                          SHA-512:48CDF60EABA0BC8AF560E3B4E75481EE0EDCA7FCB763B63FD3298883676AA2E92936E537891DC48ED5230AD75AB48EEF3AD9395A40EF889FE74A03BEA42F271D
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................z..'....z..'.Adobe Photoshop CS5.1 Windows.2018:08:07 16:10:55..................................................................................&.(.................................L.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$...L..%......>.JN..s,?E.....De......$..J.s].>F.Y.S..ZI....IIRI$...I%)$.IJI$.R.I$......RI$...I%"........).w+..y..U7..s.%(p.(...i.?...Nl.~p....)..h..
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1340928
                                                          Entropy (8bit):6.677299856016359
                                                          Encrypted:false
                                                          SSDEEP:24576:89mKmMTfYBbuMNX9PnKMHxXgrptvZzDMbxBqSwY1raig5CUd1t:89mn1buMNX9yChIGbxUSwr57d1t
                                                          MD5:57C34F9689A69BE0C1CD7F6FF3FDA546
                                                          SHA1:54F0D3CB9693D8937AA93301AC66D25CDEA9B628
                                                          SHA-256:2C2095721E9E7B3CA68D08D5F3D6E0528B8BCED9A45CEA638CF4B8212E9B139E
                                                          SHA-512:01C95F082FD71DAD1BC686F37B7CA06724936B2E02294147EEBE384910809ADC8D802D89016CFA423C1181D531CE6C8D0AF4C95F633D8AE8D6AAD3B10C842F4D
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................|............... .....Q.........................0....................................... ..O.......|9.......Z...................@...............0..................................................^....................text...\........................... ..`.itext..x........................... ..`.data....L... ...L..................@....bss.....S...p.......F...................idata..|9.......:...F..............@....didata.^...........................@....edata..O.... ......................@..@.rdata.......0......................@..@.reloc.......@......................@..B.rsrc....Z.......Z..................@..@.............0.......v..............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\mia.lib
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1335758
                                                          Entropy (8bit):6.607116387652834
                                                          Encrypted:false
                                                          SSDEEP:24576:kKLeEbW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ5e:jLeEbasY6DwOBfrnvV7UeWtPe
                                                          MD5:2957FB70B1A610B54D98CC4FB2F8DCEC
                                                          SHA1:68319EBF22A4B7D3B52B2E1198CF61535D024E24
                                                          SHA-256:30B0CD1B04F0B39251614DB60C5F9AD7E98E4201B46CDF4C850942A14F03ECD0
                                                          SHA-512:873CCADABA7A9A639328B42360166BCC427C7298FF743829C3BE92F0FBD9EF8D000F64B799765EB80D42F8BFC5196BF1083752D33840359909E9DA740B15C489
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ad.. ... ... ....g.. ....q.. ... ... ...X... ...X... ...X... ...X... ...r... ...X... ..Rich. ..........PE..L.....8R...........!................3=.......................................P.......g....@.................................<...d................................,...................................................................................text...-........................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...............................@..@.reloc...J.......L..................@..B................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6156254
                                                          Entropy (8bit):6.3901059849449515
                                                          Encrypted:false
                                                          SSDEEP:98304:IBCWJvXmK0COmVbcEkT/THDXPaV0L8l4AWn1eyeHszH2OsP4PqyK13icjqsNTUja:IIWJfmK7cEkT/TuV0hZseHiFII
                                                          MD5:A94344CD648287F3BC40B538AF42190B
                                                          SHA1:97A112188EAA93633C88BB7087D021BB565DD232
                                                          SHA-256:1AFB50E204A6511B43D62B8ACF150E256921DF3B2A98046C2F7071377BB30FC7
                                                          SHA-512:A291392F131E37E08D1B6DD67E38D9318CB0C5F4C6B4F6F6EE847FE7E589160B763A3E578F0535A9ADFC016723CFC22F661029D3B2F05C2CD8E495D669C3AF07
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...T..R..................B..F........B.......C...@...........................d..................@............................E.nV...`K.......................................................F.......................E.......E.4....................text...4YB......ZB................. ..`.itext..p....pB......^B............. ..`.data...|.....C.......B.............@....bss....h|....D.......C..................idata..nV....E..X....C.............@....didata.4.....E......@D.............@....tls....P.....F......JD..................rdata........F......JD.............@..@.reloc...1... F......LD.............@..B.rsrc........`K......LD.............@..@..............b.......`.............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.msi
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.res
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:7-zip archive data, version 0.3
                                                          Category:dropped
                                                          Size (bytes):3902968
                                                          Entropy (8bit):6.223067831964042
                                                          Encrypted:false
                                                          SSDEEP:49152:5XHXAgwX91XhXWXbXRXVXgXLwXmJXFPId4xSSS/mlfQYSvpcbuMNXCSpA+xUS5ad:5CASSvWHv5e
                                                          MD5:EDA618F20514ECF18BB76A912EFDCA5C
                                                          SHA1:4C67E979C888877340DEAE91FAB10A47D34CC62F
                                                          SHA-256:35D753D12BAA6A54A74BCCF75D6F5803709E60239E1B7CBD8562D683020A3D4B
                                                          SHA-512:30CE9317979416E40024C2CE5B6F3EF2B454118F9371F5C86948B659B98D8128D07902D3B524C389D6621B0027427DCACEEBBAF1D223A3A63D9818122FC3E952
                                                          Malicious:false
                                                          Preview: 7z..'.....W...;.............[......TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-180_Installer.msi
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):76728
                                                          Entropy (8bit):6.254581045679638
                                                          Encrypted:false
                                                          SSDEEP:1536:edjdN2c6vBVoJFLVbRv4e1R42TtHT/tNzxU:edNmVGFp9B1TtHT/tNzu
                                                          MD5:980ABD131E4B45DC8ED554D3EE0C2044
                                                          SHA1:B6041667248E9AD0CED547B33C16BF1D8A495661
                                                          SHA-256:0D75323B0EEFE651374099234B718DA70FE3C160D62BD73B49579CB07C4DDE4B
                                                          SHA-512:0429B94DD0871CB8EDB02DDDDEF2E5D21D22B09D96DCB1CF937E35B2D085742CEBDF121591902FD0A686078F9F241C5551892D1BBFC15E2B094D39BEBA159C5A
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.yW...........!...2.....h...............................................`......O$.............................. ...x............@.......................P......................................................."...............................code...'........ .................. ..`.text...l....0.......$.............. ..`.rdata..............................@..@.data....R.......N..................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1305600
                                                          Entropy (8bit):6.66768345397406
                                                          Encrypted:false
                                                          SSDEEP:24576:yIAaJZ7NOcdUT4OELlCRmLrxB4Swz+hLnNlAj4HdH:HcWgYfxSSwz4A6
                                                          MD5:511629FCCFB6C536A8F6FCBF4AA06401
                                                          SHA1:6931DE3FB845AF6CD30348108A98767268EF6200
                                                          SHA-256:65AD010679A748A7174ABE1C314E0F1AE78E7BE69DEC22F0357536F21399C68C
                                                          SHA-512:D51248F81789E8E2DEFB7B59E551B3FF705C8D8BB098AC66E7A4C7C9AF48855544BA44D6256F02052B6D525753A645E7EA601F421A5918446A231775F89E081C
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................h......\..............Q....................................................................O....P...5...P...T..........................................................................Y..H.......^....................text....k.......l.................. ..`.itext.. ............p.............. ..`.data....L.......N..................@....bss....PS...............................idata...5...P...6..................@....didata.^...........................@....edata..O...........................@..@.rdata..............................@..@.reloc.............................@..B.rsrc....T...P...T..................@..@....................................@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1050104
                                                          Entropy (8bit):5.617498652730841
                                                          Encrypted:false
                                                          SSDEEP:12288:uIId79EaUTvwieMozMEcOigSpuPMaLium:xIdqaWw1MsbTScP0
                                                          MD5:BE3C79033FA8302002D9D3A6752F2263
                                                          SHA1:A01147731F2E500282ECA5ECE149BCC5423B59D6
                                                          SHA-256:181BF85D3B5900FF8ABED34BC415AFC37FC322D9D7702E14D144F96A908F5CAB
                                                          SHA-512:77097F220CC6D22112B314D3E42B6EEDB9CCD72BEB655B34656326C2C63FB9209977DDAC20E9C53C4EC7CCC8EA6910F400F050F4B0CB98C9F42F89617965AAEA
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g9I.#X'.#X'.#X'.* ..!X'.* ..7X'.* ..<X'.#X&.Y'.* ..fX'.* ...X'...Y."X'.* .."X'.* .."X'.Rich#X'.................PE..d......J..........".......................................................................@.......... ......................................H...@.......pY...0..\m.......%...........................................................................................text............................... ..`.data... ...........................@....pdata..\m...0...n..................@..@.rsrc....`.......Z...v..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):921992
                                                          Entropy (8bit):5.698587665358091
                                                          Encrypted:false
                                                          SSDEEP:6144:EZtaKSpwmx5ATm/LC3fwf3OoU9xkYSr/mdBTRhKWIjsRP/1HHm/hHAM8i6r+LyIU:EZxSpwmxvL/f3vCN1PMaLi6rAyIQjF
                                                          MD5:30A0AFEE4AEA59772DB6434F1C0511AB
                                                          SHA1:5D5C2D9B7736E018D2B36963E834D1AA0E32AF09
                                                          SHA-256:D84149976BC94A21B21AA0BC99FCBDEE9D1AD4F3387D8B62B90F805AC300BA05
                                                          SHA-512:5E8A85E2D028AD351BE255AE2C39BB518A10A4A467FD656E2472286FEE504EED87AFE7D4A728D7F8BC4261245C1DB8577DEEEE2388F39EB7EE48298E37949F53
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..o4..<4..<4..<=.`<"..<=.v<...<=.f<)..<4..<@..<=.q<o..<=.a<5..<=.d<5..<Rich4..<................PE..L......J................. ..........j........0...............................0......p.....@...... ..............................,....p..lY......................XC...................................=..@...............L............................text............ .................. ..`.data...`>...0.......$..............@....rsrc....`...p...Z...<..............@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\1EA7FD63\B65B8ED4\box_feature.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2152x581, frames 3
                                                          Category:dropped
                                                          Size (bytes):155551
                                                          Entropy (8bit):6.411518614321463
                                                          Encrypted:false
                                                          SSDEEP:768:n/Tstz8ofLN4p+QaOZV4sprBPMCCWn1YyNKlz6J6J6aX6g+6J6JP696J6JsoK3:n/TY8ofZ4MQbesp9Djn1IlzbX8v3
                                                          MD5:BAE95521060E3A852BB0753BB15DE01A
                                                          SHA1:EE52EA3E495D25CF5D0795DDCC2D9AF710EC381B
                                                          SHA-256:983617EEF70FB3AD4BA79E652D15C7254D2CDA3D8C963F9B97AF9E850CCD1631
                                                          SHA-512:AB25284B9A81600F5850CAD8E7E1A9C18D150072DBBC53A3CE1F26A7EFA95980D786EF69E23BB5787F06DEBD0A4D26EE9368713994EED601774FA315CB39DB47
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....,Photoshop 3.0.8BIM.........,.......,........i.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.277092, Fri Feb 23 2007 14:17:08 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">20141009-2</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xap="http://ns.adobe.com/xap/1.0/". xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">. <xap:CreatorTool>Illustrator</xap:CreatorTool>. <xap:CreateDate>2015-12-17T17:11:43+08:00</xap:CreateDate>. <xap:ModifyDate>2015-12-17T09:11:49Z</xap:ModifyDate>. <xa
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):24576
                                                          Entropy (8bit):5.444427923348303
                                                          Encrypted:false
                                                          SSDEEP:384:8JZ8/zig4KI5XHhdq4Jrd6T0ZUi/WP0m1g5TkgCGDZaV55K6Z0MFVIZnJ96FkU6X:vBM53ZJrdJUi/WP31d/Gdo5KgLcnJkzg
                                                          MD5:971FA2980AB94A90B6A9A8385267E653
                                                          SHA1:FC739185177A85ED04B71C6A8D5FDFB72D919306
                                                          SHA-256:25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
                                                          SHA-512:6D905EC5FCEE1F8ED2870AF0714A6C630DE3E8D8611406486ADDA08ECFC1873BD57932ED73F42EF93E4F49D40FCED13CA5C1C99795E8C0CECBBE6B56327E1337
                                                          Malicious:true
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uc.uc.uc.ub.uc.....uc.....uc....uc....uc.....uc....uc....uc....uc....uc.Rich.uc.................PE..d....?L.........."......B..........d................................................-..........................................................(.......0.......................8...@q...............................................p..@............................text....".......$.................. ..hpage.........@.......(.............. ..hinit.........`.......>.............. ..h.rdata.......p.......@..............@..H.data................D..............@....pdata...............H..............@..H.edata...............L..............@..@INIT....b............T.............. ....rsrc...0............Z..............@..B.reloc...............^..............@..B........................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3431048
                                                          Entropy (8bit):6.400282478958549
                                                          Encrypted:false
                                                          SSDEEP:98304:ApT2oBS2w3Hp1SSx1Q2z1m6h9f8O30TjrZhdaNEzScif30g6vRpJuz1eyg9q44Ua:AxkQr0JnkTjrZh4jSJYZAqn+IgFyPne8
                                                          MD5:B24DF87B183ACE8FA4ED9D7504DDE689
                                                          SHA1:8C0439BAEE1E2E868A40D0FB524C535E8EDC9EAA
                                                          SHA-256:2B67C9E6F17A6E1DD56CB7F4F0D0A987475272355F758704B3CF1EB7A3E83BDA
                                                          SHA-512:E22ECBCBECE3F3594E8C66CDB17253E29A602512DFA20D80B5BECA4CF930DF83026374BBFFAB113C6A5F8CF83A1C60FE3188E14B87C1468C961FB6B693842197
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7..V...V...V....7..V....'..V.. *..V.. ..]V..u...V...V...U.. ..W.. ...V.. )..V..Rich.V..........................PE..L......M......................!......C............@...........................4.....T.4...@.....................................h........q...........N4......P2.....................................N..@............................................text............................... ..`.rdata...Y.......Z..................@..@.data...,........^..................@....rsrc....q.......r...<..............@..@.reloc......P2.......1.............@..B................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\3575565E\3EF45B9E\ANSI_2008.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):880
                                                          Entropy (8bit):4.024090783286004
                                                          Encrypted:false
                                                          SSDEEP:12:cykZUsywNgUhlC9SB1SzsQz3+WS+ineL85LAYr3DVJB4Rhby:cHWLSgU2HzOyieQTDVz6y
                                                          MD5:9A927231F267D229F8F1A82145D7B6B5
                                                          SHA1:3CCA3B1C9A43FD3D3E67C501BD0FC76BEA279C12
                                                          SHA-256:2692C10AC8F820DC79F297CF5375B5ECE84C04F9940ABC7575DBAA419E04F3E4
                                                          SHA-512:E8DBB142E0D1DC047307BBE0604383AF5ABC5B62A2DA0B13F07D59544324FFC745684A2E772E6CF9F1C8FF74B2E6AFD080879EA2DAD262D9EE887346143DD968
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377-2008.......E10.......0.4813.0.4319..0.4562.0.426..0.4373.0.3893..0.4593.0.3944..E20.......0.4562.0.426..0.4299.0.4165..0.4147.0.3814..0.4373.0.3893..E30.......0.4299.0.4165..0.3996.0.4015..0.3889.0.369..0.4147.0.3814..E40.......0.4006.0.4044..0.3736.0.3874..0.367.0.3578..0.3898.0.3716..E50.......0.3736.0.3874..0.3548.0.3736..0.3512.0.3465..0.367.0.3578..E60.......0.3551.0.376..0.3376.0.3616..0.3366.0.3369..0.3515.0.3487..E70.......0.3376.0.3616..0.3207.0.3462..0.3222.0.3243..0.3366.0.3369..E80.......0.3205.0.3481..0.3028.0.3304..0.3068.0.3113..0.3221.0.3261.........CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.459.0.412.0.0027.0.0014.53.7..3000.0.44.0.403.0.00278.0.00136.53.22..3500.0.411.0.393.0.00309.0.00138.54..4000.0.38.0.38.0.00313.0.00134.53.72..5000.0.346.0.359.0.00274.0.00118.59.62..6500.0.313.0.337.0.00223.0.00095.58.57..
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\36706E48\3EF45B9E\ANSI.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1004
                                                          Entropy (8bit):3.811029766434935
                                                          Encrypted:false
                                                          SSDEEP:24:cXRbzjOJi/CG1wwHPINYdBvmCQI9MSDVG:eRfCJi/CGVSY7x39P4
                                                          MD5:30638861125319A8EB54E0F75F953AD5
                                                          SHA1:8091B23543DE04CA3769A9C913C0AFAFD3191BC3
                                                          SHA-256:F6DFE926CECB9139750FC181961260E75817587C353BC525A7E018A2A571DCB1
                                                          SHA-512:3175EAFF7FF111EEBDE48459CDCEDBDD7927F3B0FFEE0B29B53A932F51007F19927E8448B4D31F31D0D95312273511C752E7DD0BC7634EFE212C578EC84DC3ED
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377.......E10.......0.4813.0.4319......0.4562.0.426......0.4373.0.3893......0.4593.0.3944......E20.......0.4562.0.426......0.4299.0.4165......0.4147.0.3814......0.4373.0.3893......E30.......0.4299.0.4165......0.3996.0.4015......0.3889.0.369......0.4147.0.3814......E40.......0.4006.0.4044......0.3736.0.3874......0.367.0.3578......0.3898.0.3716......E50.......0.3736.0.3874......0.3548.0.3736......0.3512.0.3465......0.367.0.3578......E60.......0.3551.0.376......0.3376.0.3616......0.3366.0.3369......0.3515.0.3487......E70.......0.3376.0.3616......0.3207.0.3462......0.3222.0.3243......0.3366.0.3369......E80.......0.3205.0.3481......0.3028.0.3304......0.3068.0.3113......0.3221.0.3261.............CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.463.0.42.0.00258.0.00137.57.17..3000.0.44.0.403.0.00278.0.00136.53.1..3500.0.409.0.394.0.00317.0.00139.52.58..4000.0.38.0.38.0.00313.0.00134.54..5000.0.346.0.359.0.00274.0.00118.59.37..6500.0.313.0.337.0.00223.0.00095.58.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\383E736B\B65B8ED4\square.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 36x36, frames 3
                                                          Category:dropped
                                                          Size (bytes):811
                                                          Entropy (8bit):6.8734786141017254
                                                          Encrypted:false
                                                          SSDEEP:24:cwbGo0XxDuLHeOWXG4OZ7DAJuLHenX3wwObZF0E9Et:cUfuERAmjk
                                                          MD5:6A90C8F2391DF1AE3A0D4EF59B144E6C
                                                          SHA1:4C751BECA130B036BC5607290444B50104CE262E
                                                          SHA-256:CDE14B0A2A6B19A94EA227306823CCB1AE3C6E12939EAC2204C27F74C28D09DA
                                                          SHA-512:DB46E0B830C1753E7BA7D24AC341E96CBED8E98A96C2F309A1A0A82BE445ADADCB2D03B0D4CE5D194C313E68A9D21CB858EE2E93CBB233239190B1F811AB7581
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................$.$.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(...(..=..~...6......E.E.............:(..h...(........D..........~...&....................................O.........g.........c...t..?.{..u?.................0Asz..L...Nv ..(....
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\409F08AF\B65B8ED4\box_information.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 1396x416, frames 3
                                                          Category:dropped
                                                          Size (bytes):22296
                                                          Entropy (8bit):6.223707808164865
                                                          Encrypted:false
                                                          SSDEEP:96:cAoE6DTpFWFWFWFWFWFWFWFWFWFWF18Z+Z+Z+Z+Z+Z+Z+Z+Z+Z+ZKgngngngnw93:FopYkkkkkkkkkkIQQQQwGfo
                                                          MD5:AAB4F09BBF6A3AE3E9A95E32958BA66A
                                                          SHA1:9D20AC06988DF7B9872B7CFBC39D8BC90CFB7532
                                                          SHA-256:1549FF975A60DBE53F63D8B977FA43AC1059E96AC2FFA0E0EF311726898ECE70
                                                          SHA-512:D4FF44288413D19BC487133B8E9CEADC8223B64836EB69C6994FCEF28D23FD43E6AA9B6E62F2634AE41CD1471904E28FCFEA0710C6D254B17E1361A8DC8CACC7
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.........................................................................t.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....o...x..v....'....?..s....p..p;Wu...............~....D.9..o?.S-zu.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4|6...s..'...........\.....9^.E.y..3G.o.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\44DB77AB\7AF51026\LICOR.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:08:07 16:10:23], baseline, precision 8, 424x389, frames 3
                                                          Category:dropped
                                                          Size (bytes):55788
                                                          Entropy (8bit):7.406277105755755
                                                          Encrypted:false
                                                          SSDEEP:768:wjlNHlM3wYyUD6bOu8/Psvvm13GZ7I8fZgnpM89UUWnuY:p3wYDQO5/Ev+1WDfZ9893oV
                                                          MD5:4A482C8F0C46BD5D8C3D6739AD1BC7C8
                                                          SHA1:E543A7289D861A0F9ADD6B33ED1D837AC89FCBA6
                                                          SHA-256:FB2BFC19FBA5DA463FACE6D76EFED53CB1A2F307D3E9C5BED8E7D11B8BBFE2D1
                                                          SHA-512:7F910843D036135070DA2F14524F628C2CE3EFE9A1AEB0DAD1DB63578D1A55C7ED25E573E1A15568A253FDF51D0339423A127703DDAF2EFAC55D2B0E701696DE
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................z..'....z..'.Adobe Photoshop CS5.1 Windows.2018:08:07 16:10:23..................................................................................&.(.................................Q.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$...L..%......>.JN..s,?E.....De......$..J.s].>F.Y.S..ZI....IIRI$...I%)$.IJI$.R.I$......RI$...I%"........).w+..y..U7..s.%(p.(...i.?...Nl.~p....)..h..
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8981
                                                          Entropy (8bit):6.952810377972559
                                                          Encrypted:false
                                                          SSDEEP:192:6IKsjkeBneIyCNECwnVhjeyveCtAW5LfsxhQ8tsU:1KskI/w/jpvjAGLa3t/
                                                          MD5:FC43EB094C0074FCD29ADC9A742371D9
                                                          SHA1:21EA184EB636E45550BD6A18CDAF08AE19DDD776
                                                          SHA-256:993B957EB5EAC489092B25A51473CE9B4BC49835673999BC4A95440318194D8A
                                                          SHA-512:6A1ACB42C8A6A18E956431F62A89E3BFCC3484683C2934358ACA50D3FCB42D7FD244625C39D78B4983050BE26B9C5114AB53E41DB429B56BC336D33A2B4B3380
                                                          Malicious:false
                                                          Preview: 0.#...*.H........#.0."....1.0...+......0.....+.....7......0...0...+.....7.......D9.NN..........110131175223Z0...+.....7.....0...0....R1.8.A.8.0.D.E.0.C.F.D.5.2.1.0.E.9.A.3.2.5.C.7.2.B.1.2.4.0.B.4.4.2.F.B.4.F.4.2.2...1..c0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..............!..2\r.$.D/.."0....R3.0.2.3.5.5.2.1.E.B.3.1.4.1.4.6.B.1.F.D.7.1.B.6.7.F.3.C.E.7.D.9.2.0.E.2.6.6.8.D...1..[0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........0#U!.1AF..q..<.. .f.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):17408
                                                          Entropy (8bit):6.017219183396955
                                                          Encrypted:false
                                                          SSDEEP:384:Hb8p/BVUEZg4exDJKDYh3jOB2raIc15FdIq+m:mcdY0h8GaIudB
                                                          MD5:812318F3E7BD682E1C22F0B707F66E82
                                                          SHA1:AA17A293AEC2BF1239779A8D439F84B2602D76AD
                                                          SHA-256:9B4C47FAA4BD6F22E75CF8430BAC37E48108C35B6737850E583EFDC37C4D8A81
                                                          SHA-512:961BF96B873E269AD566B33243DF872D989AAB6EB51E29CC984D26BCCC331DDB60B45B301C2FD13D9F5E10BC26CAEFBD948D305D35EBAA22515453A3CD57CFD5
                                                          Malicious:true
                                                          Preview: MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................>...z...z...z...z...J...#.......]#..{...]#..}...]#..{...]#..{...]#..{...Richz...........PE..L....?L.............................8.......-...............................D......................................1......D8..<....=..0....................A..4...P................................................-...............................text...L........................... ..hpage....x........................... ..hinit.........-.......-.............. ..h.rdata.......-.......-..........
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14592
                                                          Entropy (8bit):6.033771703962439
                                                          Encrypted:false
                                                          SSDEEP:192:+Dj6z0KomA4LWbM09xLu+YMJpJ7CBMS8iCtSRGb2T+OuT+evhuj4tmkG:+Dj6zHAqW2XwFCjRjyHyevdm/
                                                          MD5:599F3715602F4CB09AD0FDC606E3B9D9
                                                          SHA1:659F9A1CF662260F3FB197E6FE3592922014E831
                                                          SHA-256:589FEA41EF48ACD9F0FC54AB25A430E5627D17E8EC3C950F3C5CB71C348E9B8D
                                                          SHA-512:56E55D7FD6330E2BBE60BD79D7502E22CEDC9F448982C54E9C924BD57B3C0741E634883435BA4621DB80852D7F47A081FA4FA4302217BFB4BF87558F7EC233BB
                                                          Malicious:true
                                                          Preview: MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.........................................................................................................................................................................................................................................................................................................................................................................................................T.Q.:.Q.:.Q.:.v.G.R.:.v.A.S.:.Q.;.}.:...).V.:.v.W.T.:.v.T.T.:.v.F.P.:.v.B.P.:.RichQ.:.........PE..L...}.?L.................+...................+...............................9.......Y......................................D...d....3..8....................7.......+...............................+..@............+...............................text............................... ..hpage....~........................... ..hinit.........*.......*.............. ..h.rdata.. ....+.......+..
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\587D056C\9426740A\CHK_20131028_165820.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Microsoft Excel 2007+
                                                          Category:dropped
                                                          Size (bytes):8720
                                                          Entropy (8bit):6.701734712242596
                                                          Encrypted:false
                                                          SSDEEP:192:8RuQ59v4QSpEeUWb2CAvib49uOHbYJy8Wn:O5l4QSpNJb2CAve49xHbr8A
                                                          MD5:BFC68AF73FFA1AA121D292B61E6EEE17
                                                          SHA1:A45A0D6C4CC9571BC9DB1E5984EB42BA467A61C1
                                                          SHA-256:857F749226E477CD880AD1EFC5CFE90F819CA7187E3E229C341FC892F516BB62
                                                          SHA-512:1CA0F915594FBD9359A301852DB87FC62C29D7C27513A35BBD314106BA3DC58331D60DAC875F29ECCC642CF34C9D4BD5E2D79122D7B278E1FCB4251F879741C3
                                                          Malicious:false
                                                          Preview: PK..........!.q.9+p...........[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MN.0...H.!..%n...j..?K......c[....g...P.T...DQ4..f..|[.d....9.g#...Ni.....Cz....*a......|v~6}.y...-...p...J`.<X.S.P.H.a..+..>....t6..i.5.l.D..V.,D..."..5<....qFz,.m.k..."Rr...k.BKPN.+.....Z..j.qg..[.. ....2Y+.w..B.ML.D.....q.}...i.K...]?.w.Vo.NM...UB.}.%..-...i..@.\.J=IB.....i...1"o^......A..AG....c.....,E.....R'?._...r.M...?.....;6.7..........PK..........!..U0#....L......._rels/.rels ...(..............................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\609B42C1\B65B8ED4\box_feature_ppf.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2152x498, frames 3
                                                          Category:dropped
                                                          Size (bytes):139076
                                                          Entropy (8bit):6.441878302402045
                                                          Encrypted:false
                                                          SSDEEP:768:nFJstzSYvn58tludWBaUVvef9YyzH+HRXPKX+HRgH+HlgPKw+HRgH+RPKUPn:nFJYNv2luEBaWmf9H45I4e4lOj4eKdn
                                                          MD5:13BC7A5820F748A41E20452055D323A5
                                                          SHA1:CA4D14E7B696A27A8D607AB390C056AAD8D47A45
                                                          SHA-256:1C16416D81D5078A524B0DCBAFFD9A74A6DFB01E694A27B9C43EA1DAAC3AA03A
                                                          SHA-512:2E60EC4AD6A9B9B6204BFE9046555FABF683C95CDF81168F15DB06FEC1B2782250C5FBA17B4B2269F2D6776609D3AD372E9658CB1BE3E6AB16BF8BCA0F768C68
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....,Photoshop 3.0.8BIM.........,.......,........|.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">20141009-2</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/">. <xmp:CreatorTool>Adobe Illustrator CS5.1</xmp:CreatorTool>. <xmp:CreateDate>2016-05-03T14:13:19+08:00</xmp:CreateDate>. <xmp:ModifyDate>2016-05-03T06:13:23Z</xmp:ModifyDate>.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\655BFA89\B65B8ED4\LI-COR-logo.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=12, height=684, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=3447], baseline, precision 8, 800x158, frames 3
                                                          Category:dropped
                                                          Size (bytes):87232
                                                          Entropy (8bit):7.76374401337514
                                                          Encrypted:false
                                                          SSDEEP:1536:bYczYcIalM6o5JJtLgDjnRG1fvAHDlwivG/wIqZ:bLpzoX4jnRG1fIhwiv4qZ
                                                          MD5:76FB5E4E25D73167940320BD69523801
                                                          SHA1:6EA73FD9F333AED01255690D5704FC031AD14D96
                                                          SHA-256:A4C401598FA51A19AD762520C3D217B8C4D0A7626B169C6A60B2126A7E53FE9E
                                                          SHA-512:9CD93A5CE8429490D47E50FA86DC2C18D167AA1AF9716AAB079D627A6DD1AD35EE388DABC25EA27C3C2B768F82FF17FDDBF10B24A140C252F67DC19325212D6F
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*...............w.......................................................................................(...........1...........2..........i............. .........`..'....`..'.Adobe Photoshop CS5.1 Windows.2018:05:24 13:40:11.............0221....................... ...........................................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d................................................................................................................................................. ...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..U.,elu.81...{....s.~.Z......0tLg{.......k......9o...z..#.b...X.e.(...x.....l.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\655FCA3B\B65B8ED4\box_basic.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 646x416, frames 3
                                                          Category:dropped
                                                          Size (bytes):9428
                                                          Entropy (8bit):5.6390537195983566
                                                          Encrypted:false
                                                          SSDEEP:192:c6yVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVMVUrVUrVUrVUrVUrVUl:hyVVVVVVVVVVVVVVVVVVVVVVVVVVVVVK
                                                          MD5:D6BF0E1638C32635B4B0E330DD4DA28E
                                                          SHA1:92B2747EB2E1DD1907697B4B40AA139448F4A653
                                                          SHA-256:5950D7AA6792FCDE26529D5C213954C33441C783C4DEEE2283AAA4998AC6EFE0
                                                          SHA-512:5140109E879C83EE9F7BD0D014D5004823155EB0E080DCED2FF10355C2A03E513318FCC83A610BDC55EAB00554CD0ADB6B1A909C50121809EC2A7116BF08EF40
                                                          Malicious:false
                                                          Preview: ......JFIF.....,.,.....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......a...?e.....^....u......J..3e........8..z.............{...?G..O.L.........5..._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\67ACD331\98FBEBF9\Reference Spectrum.xlsx
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Microsoft Excel 2007+
                                                          Category:dropped
                                                          Size (bytes):34235
                                                          Entropy (8bit):7.799348435900692
                                                          Encrypted:false
                                                          SSDEEP:768:VXOQ5UiKo1zFbU9ZnApNIBZiQLmNI2e6vWRJFu3D7:VXiiKo1zFbU9ZA/IHi0mGz6vW/FaD7
                                                          MD5:C06B8A0334EF85F888F3DBC85669C3FF
                                                          SHA1:CAE0D2805B7452816D5CAC7C7A6B621EAC5E3F7C
                                                          SHA-256:E04ECF261F03F9168CD85B6FA025AC57917CD44B713B1A8D530B20C446C1211F
                                                          SHA-512:70F83D59F1496B16CA45C60A7E1C24A0FA526E1424FE6CBA0FAA4DC43033BA5B7B52C9C015F3EBF0475B9624C41C3A2FEF43CAA1BF76A4AF66ED0B2D0E7C22E6
                                                          Malicious:false
                                                          Preview: PK..........!...4v...........[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.n.0..W.?D.V..CUU..].-...L<!..my....IRP.h$.......%...."..21J."..{m.*......H....z........f.......f.$.ORb^B.0...?)|...e\..Z.....d.......b2~.Bm,%.;..*Y.'.....*.*.krE,Tn..C2.Ear.>.T..b..4..T.4D.q.Dl....?.t4......*f.;+..@{......F...io.{S..mA..g.`.2k?.Ly....&`.Cwv.|..^z..v*u..J.w.}..\.Y..%.......A..CB$....qs.k.MmQ6..-<....+......._.........G.|.....g6 ...........PK..........!..U0#....L......._rels/.rels ...(......................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\6B339451\B65B8ED4\chart_criw.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 674x635, frames 3
                                                          Category:dropped
                                                          Size (bytes):27880
                                                          Entropy (8bit):6.875985710971225
                                                          Encrypted:false
                                                          SSDEEP:768:TToaGXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgJ8bXm:TsaGQQQQQQQQQQQQQQQQQmb2
                                                          MD5:D1A53D4B64F05A2871B04470C035F9D9
                                                          SHA1:BF0CD7A2DC6707C59D3038CC40A3F34F8629A240
                                                          SHA-256:FC9B2EFF24902D0408371AB727507F7C53F805038D340792D00D906E88E4AED5
                                                          SHA-512:5A9DFFB0AC796903E6E04B388C253F8234A2E86FDDA2FD5ACE230C6D3405DEF0F54C726DF81A2C862750F60BF497F35DE503EA0D4E430015674B15BC29DE8C4F
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(......m/....h...4.._6.1.v.#u...>e.......'.._.......U....o...?.?u...h...[.a..B..O.....Z(..........._.v..e....,.........U..<...o...?.?u...h...[.a..B..O.....Z(..!~.....?...R...{g.\.A/.[d......8 pF(.y.7.:.<..J..}..mq<.n.].<J.p$.d....J....$.._.......G.o.%.....5...J............_.v..e....,.........U..<...o...?.?u...h...[.a..B..O.....Z(..........._.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\6B481F13\B65B8ED4\cie1931.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:05:23 17:14:42], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):350390
                                                          Entropy (8bit):7.157320861579299
                                                          Encrypted:false
                                                          SSDEEP:3072:u3OzT+4vPqniUMWkPnMgZAWt9B2yxQ5FKIEaya4VsvSPcHNIjykqDY7oyZ5J1:jvPqiUMWkPMcBa5Fzn4kMcHNoHEyZ5X
                                                          MD5:38DFEBA72CD538D1256B67D2BF8FAE0C
                                                          SHA1:F8711D63148468FD8D712599342C504A0D1D3B72
                                                          SHA-256:FCFB2D1F9E427F3F1B8ED33B377D0493A0B9F0C7B5172C13DAABABD1F0086B9C
                                                          SHA-512:EB9151D05FE8FA3D3001581C276A802CAE768CD34A0F77FBFED9D44872BC41BA1D9C18625C2FBA24D625447B4769356F45E375927C3619BFA11E3A5F31109E81
                                                          Malicious:false
                                                          Preview: .....GExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2018:05:23 17:14:42..........................@...........@...........................................&.(.........................................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.ini
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):269766
                                                          Entropy (8bit):4.17943553746763
                                                          Encrypted:false
                                                          SSDEEP:3072:uukCl9EIczUzZz+zrJZzU7ugHJ2L30fNy7IrwnN5ME+siFGV9q88YFUn8fS5cP/1:vXF8tV
                                                          MD5:6B5601074757D38741CE5675B76388CB
                                                          SHA1:A10E15E42235C7910BA7241A5415E6426943D947
                                                          SHA-256:BD4B17BFFC964B105918140E2B15AF0C29292ACBFFB06E568E1269361B99F9DB
                                                          SHA-512:311E71E2570A5C39BF7C85573F11DDB449518413679BDC1219BF4D36239E7142053EC3D7B96A5359C1B25BD20744F3C6D0F24E94981EC297671100B57BA7EAFE
                                                          Malicious:false
                                                          Preview: ..[.C.H.T.].....B.A.S.I.C._.S.E.T.U.P.=.._...j..yr._<P-..[....B.I.N._.S.E.T.U.P.=.B.I.N.yr._<P-..[....B.i.n.E.d.t...C.a.p.t.i.o.n.=..}/.hV....b.t.n.C.o.n.n.e.c.t...C.a.p.t.i.o.n.=.#..}....b.t.n.C.o.n.n.e.c.t...H.i.n.t.=.....b.t.n.D.a.r.k...C.a.p.t.i.o.n.=..f!hck....b.t.n.S.e.t.t.i.n.g...C.a.p.t.i.o.n.=....|.T-..[....b.t.n.D.a.r.k...H.i.n.t.=.....b.t.n.D.i.s.c.o.n.n.e.c.t...C.a.p.t.i.o.n.=..e.}....b.t.n.D.i.s.c.o.n.n.e.c.t...H.i.n.t.=.....c.b.B.i.n.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.C.h.k.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.C.o.u.n.t...H.i.n.t.=..}..!kxe....c.b.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.L.o.g.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.L.o.g.I.n.t.e.r.v.a.l...H.i.n.t.=..}...v....Bf......c.b.L.o.g.I.t.i.m.e.C.o.u.n.t...H.i.n.t.=..k.fIQBf...}..!kxe....c.b.L.o.g.I.t.i.m.e.E.n.d...H.i.n.t.=.P}_g.v.fIQBf..<P....c.b.L.o.g.I.t.i.m.e.G.a.p...H.i.n.t.=..fIQBf.....<P....c.b.L.o.g.I.t.i.m.e.S.t.a.r.t...H.i.n.t.=.w..Y.v.fIQBf..<P....c.b.L.o.g.t.m.H.M.a.x.V.a.l.u.e...H.i.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\6DBFE203\342BBCE8\Cold.asz
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32243
                                                          Entropy (8bit):7.983643036707625
                                                          Encrypted:false
                                                          SSDEEP:768:FwZk43Try4rswSIWlZDbkP3PTVVzN7DlKe8pGY7eKIfi:FwK+yMswSbfDb07DzxlEqVi
                                                          MD5:AC1C8E08E905B7F2050F55295A054FF1
                                                          SHA1:76C174B7C484DE9691DE8F60E790222D1D5362D9
                                                          SHA-256:332EA0360575D993483B891C19DA9115342C8B207722C072E64F6D960BDA27E2
                                                          SHA-512:2F56A66363FB558760BB8BFC370EB5F6E3ECD3037FD6BA9763903BC0F1C420421FC55CA160EBA97A2772A49949BC649FBE66BA010C5BD456ED23DA88007052C9
                                                          Malicious:false
                                                          Preview: ASzf........Options.dat.7..x..Z..6.._`.y..gR0..dkm!.d..&i..../..^..;<.Dy..:....E.#rf8..8._........w.}.......k.^d.Y...Czj.&+.Cz\.....x...7.....w........fM..R......n~.......n..6Mql.g0....=.Uk..DPB...k7e...^..v\...$...f..6e}....+........j.=....E.H0.$D.I...D.kI.q$...>......<..D.jL.P....].~..@..&..Y...p...h.<;.m..CR8.1.c..yy.=1.{....iYv.#..80.....|.../!...J>&.2"E<U.{TM.-..'$Z.HR.!....h..&3.F....V.".?...vv..;0.....#...I...8..M.6Uc.T.b.7K..d5(...Br...h7m}\..1..&~....l.o...?.k.........-..XL......?....L.Z..GP ...+.'.|..4i..7y.....v.o.v.3.P..k.g..Bx\..9h-.tA.3..g.6m.V...=0..(..U..>3.|..m.1&.1m.WU./`d..6.].`_0.....>.....~...#....Q4..`.k..]................S.N....a>./.i.z.V.&...J...Ph.'.o.h.........I..@.-fP..........!..S.3..[......c.gYA..+e,=(.E..Vc{.".m~...x.Ql.._4BJI0.FD"9...9sXhSW.....*/g...:<...+b:k3K.....E.&p o.....,......z...{..H...L<G6....A..........L$[6.k..uM..z... .-YE.g.IM.......N:X..S.....}..@...^Q.9ct..q......".o....Q.3cX...V...L
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\7021623\B65B8ED4\chart_cie1976w.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 663x654, frames 3
                                                          Category:dropped
                                                          Size (bytes):49281
                                                          Entropy (8bit):7.677803253072959
                                                          Encrypted:false
                                                          SSDEEP:1536:HOz9vOQugFYu+r15YmntUPmng1hlWzqivgb50oVSLs6h9OTT+0:uz3FwxOPmg1GCSooLs6hM+0
                                                          MD5:4AE6C98119702AD8DBE19815759A9AD5
                                                          SHA1:DD6246D6C6A2606AAB9725156B6F3C6554670D60
                                                          SHA-256:948DC9829F0D27B461B7410CC20E42E8299FD9DC7CF29AD4C269133873A06810
                                                          SHA-512:2CD288A1E3FD13D44DD2C1F3B8D9ADEC9EC43231E71882CEBDF8D101DC1199018B20227E88B4B73310C019F26786D991CCB230E5D46340A913C5D0FB271B4DCB
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..4....j..i.)....gkxf..#,v+..@.&.....]{V...x........k.j.]8...9.3..p1]/.#..?.o.......h....%.........k.h........C.....X..G.#..?.o.......k.h..*...w.........c......`........,o.U..<......7.......4.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\7493ECCE\C0705257\CIEO.CFG
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):25871
                                                          Entropy (8bit):3.628876107565113
                                                          Encrypted:false
                                                          SSDEEP:768:tAqlIjLdNeBa/QlhO4erymyb2U2nCGqsjIogBLFenLwfl:tAqlI1NeBaolhOLrymyz2nCGqAgBLFeE
                                                          MD5:2ED1B9435809772B68294D38B962DE19
                                                          SHA1:ECE1D3D025626D350683E7070382F235FC9FE09B
                                                          SHA-256:67F5DF4714FB4E1D09FC592DDD4AC6B6FAE220B25F5CEEF7B1B538AA653FF465
                                                          SHA-512:175FD4219059AEFBC9EDF83359AEE72FC90E8A60048A6A11EBBE15B8F62F9981899D2827D791600998B4D67CC6C2703B4FAF82B520BA5411AE9247C44401BADC
                                                          Malicious:false
                                                          Preview: 401,380,780..0.17411.0.00496.0.25686571.0.016464427.0.25686571.0.010976284..0.17409.0.00496.0.256832415.0.016464184.0.256832415.0.010976123..0.17407.0.00497.0.256787756.0.016496404.0.256787756.0.010997603..0.17406.0.00498.0.256759747.0.016528743.0.256759747.0.011019162..0.17404.0.00498.0.256726457.0.016528499.0.256726457.0.011018999..0.17401.0.00498.0.256676525.0.016528133.0.256676525.0.011018755..0.17397.0.00497.0.256621308.0.016495188.0.256621308.0.010996792..0.17393.0.00494.0.256588798.0.016397312.0.256588798.0.010931541..0.17389.0.00493.0.256533573.0.016364361.0.256533573.0.010909574..0.17384.0.00492.0.256461702.0.016331288.0.256461702.0.010887525..0.1738.0.00492.0.256395126.0.016330806.0.256395126.0.010887204..0.17376.0.00492.0.256328554.0.016330324.0.256328554.0.010886883..0.1737.0.00494.0.256206027.0.016394531.0.256206027.0.010929687..0.17366.0.00494.0.256139471.0.016394047.0.256139471.0.010929365..0.17361.0.00494.0.256056282.0.016393443.0.256056282.0.010928962..0.17356.0.00492.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\774E815E\526B362B\LICOR-about.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 145x435, frames 3
                                                          Category:dropped
                                                          Size (bytes):12917
                                                          Entropy (8bit):7.841242072236601
                                                          Encrypted:false
                                                          SSDEEP:192:A+rZ8DyGZb+SvEEnb81eH1lJzjrFW/tUBHWTYrwwJpU8jDI0VRcYgVNJv2OsZEFs:rWyZbU8ATJk/2RDPfXfj7gYOej9
                                                          MD5:AEB44B1C85804C8574E0E56037233558
                                                          SHA1:1F115B2CCFF90DCD80DE33501BB2341827A65DAA
                                                          SHA-256:0D91511EC270698D449798FEAF766B1A3820CB659BC2E37C10B52F39D7046B17
                                                          SHA-512:347B732569F61C725355394724224063F759A430E71523F8C24CA19C041E67AC9402B6FE50C1056000CF9E36F94B7BC20D7F1891E67D2F002BD44AA0626DEF3F
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C......................................................................................................................@............................!.1."AQa.2.B..#Wu.$5q.....478RS....................................C........................!..1AQa."q...2....#Br....3S.R....6b.45T..............?....R.... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... %G>....)......q.O.....*...=....~..;'..hww...5*I.<.M.......\CemC.l....\.i$......rk.Nt...y.#d49v1i..Cd2...*.1..C......F...\ou^......6.?...}gm{}V.4.4..I'.y#}.6Ew..&5.eL.kZ4..:.)...8...z.*.K....z.F...,..V....5e.=k..C....].h.R.C.H.....0.....B....y.%.g.)......BY
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\8C4586D2\7AF51026\cie1976.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:08:09 15:30:04], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):304735
                                                          Entropy (8bit):6.764574393450863
                                                          Encrypted:false
                                                          SSDEEP:3072:U9qqfJ6k0lWHQD3N5i85cLpl6Dziokg5ZVpLe+BUMx8Ni07c/FXr25:eq+elWHQD9Cz6Dz13ty+Bhmc90
                                                          MD5:0C86034B78AC08E8EBF4751066FF4508
                                                          SHA1:9E2CF625C636D92524BBD3787C326CA0A411150B
                                                          SHA-256:B5426827E53E27D35BA83DE51C5367BA595AB1B22C2411E3B0DCBA31C6896886
                                                          SHA-512:C25574138EE7544958DA6FC1BEE3BC0C5495547CF04DE9AC39827E2340B58593897F5F2BEEB62F5A932FC95086AD833A92D9DDA52D83758BC86AC007ED00C29E
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2013:08:09 15:30:04............................@...........@...........................................&.(.................................r.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI$...I%)$.IJI$.R.I$...I%)$.IJI
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\9847A14B\B6D77E4E\ESPD_LI-180-000.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):7336
                                                          Entropy (8bit):4.207813795706626
                                                          Encrypted:false
                                                          SSDEEP:192:caWYFcBd/EL8XoWGUoN8y/kc6L4eexSZod/D0FiMwX6:ckICL81LoN8IOeoYD08MZ
                                                          MD5:75F5F0228EF83924EDAF8B5AA0DE93F9
                                                          SHA1:A34DEB51928DDA684CEB73B267831E5D2832A591
                                                          SHA-256:EE507AACFCA46227BE426667327F5F65432AB3EAE545619B7B05583EB95AEFA8
                                                          SHA-512:0949B79F2FF3A24CC3F2F807017FBF09F3393AC11BB46B52F5310609F0F4B31F7DB972E451CD404119806B2F376C9476C5E5BD26EA60A75030A0BC00E2A70BAD
                                                          Malicious:false
                                                          Preview: Model Name.LI-180..Serial Number.C16M0094..Time.2018/06/07_18:36:47..Memo...LUX.551.286071777344..fc.51.234764..CCT.5279..Duv.0.002312..I-Time.810..x.0.337865..y.0.350262..u'.0.207044..v'.0.482941..x10.0.344416..y10.0.343235..u'10.0.214256..v'10.0.480423..deltax.0.000138..deltay.0.004687..deltau'.-0.001705..deltav'.0.002342..LambdaP.449..LambdaPValue.14.203784..LambdaD.564..X.531.774719..Y.551.286072..Z.490.864868..S/P.1.821943..Purity.0.064435..Pct Flicker.0.000000..CRI.72.959000..R1.71.421402..R2.76.906075..R3.79.229408..R4.73.710800..R5.71.450272..R6.67.357368..R7.81.994560..R8.61.602081..R9.-16.864355..R10.43.786861..R11.69.502899..R12.42.744762..R13.71.495804..R14.88.912788..R15.66.517227..CQS.71.641174..GAI.81.695618..TLCI.50.887054..Rf.70.698936..Rg.94.557259..PPFD.7.529354..PFD-UV.0.006745..PFD-B.1.763472..PFD-G.3.702757..PFD-R.2.114594..PFD-FR.0.278020..PFD.7.806673..IRR.1.697261..380nm.0.099609..381nm.0.099624..382nm.0.100046..383nm.0.101189..384nm.0.101241..385nm.0.095187..3
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):19456
                                                          Entropy (8bit):5.5838184446755195
                                                          Encrypted:false
                                                          SSDEEP:192:2fW3/zOHLiVaL/qqPhh0m1ooaJOz6CXPaxEL+GIn0alGalILp/JSUJj6jLfJv19U:2fW3LOHLdLCI0m1Xz3fW01alInS1LFv
                                                          MD5:CEDF7CFFCCD03451FD22DBAAC2E3DE8E
                                                          SHA1:3FD8383608DB769A1E2C8E0C1302C315DCA8B37E
                                                          SHA-256:A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
                                                          SHA-512:BBA0BF8C75E5A1B1AFC72F5B5A33CACA721DBB4589DE7B3430398AE147E2E2CF18A15932DF62D32423B1093453B55B48B9E99FB7549135E3CF33976229C47376
                                                          Malicious:true
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#d..g..g..g..n}w.e..g..B......b......e..n}g.d..n}q.f......f..n}n.b..n}p.f..n}u.f..Richg..........PE..d...A.?L.........."......:..........d...........................................................................................................P.......8...........................@a...............................................`..@............................text............................... ..hpage.........0...................... ..hinit....U....P.......6.............. ..h.rdata.......`.......8..............@..H.data...0....p.......>..............@....pdata...............@..............@..HINIT.................B.............. ....rsrc...8............H..............@..B................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\AD9FE403\7AF51026\GAI.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:11:20 16:36:56], baseline, precision 8, 394x472, frames 3
                                                          Category:dropped
                                                          Size (bytes):36337
                                                          Entropy (8bit):6.764811903181098
                                                          Encrypted:false
                                                          SSDEEP:384:gKibD1sWGibD1LnE3rvkPYNg707osesesesla:gKvWGAE3rvkPYy9sesesesla
                                                          MD5:F6A740B37593A25B3303F21BB5C79123
                                                          SHA1:E84EEBD8AD1C57D3EA08C6A838816FFC041971B4
                                                          SHA-256:5D44CEB519861E072FCDEAEE1D3530FA59D573AA5C80BFE06C39BA83AEE7CEBC
                                                          SHA-512:8B7F40BBED567DBC12F273B384B3C6D0F0F27CECFFE8FB6F8E59E27C91A21865AE972E722D1473660857A10048D26E3D9E4D79417E67245ACC86508DF4C1CA7E
                                                          Malicious:false
                                                          Preview: ......JFIF.....d.d.....oExif..MM.*.............................b...........j.(...........1.........r.2...........i................B@..'...B@..'.Adobe Photoshop CS3 Windows.2013:11:20 16:36:56....................................................................................&.(.................................9.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$......RHq._2....y......?..I%.)|.V{..\...9......I/.K.R..............RI|._2....W...G....
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\B7ED429E\E1510A13\setup.ini
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):639
                                                          Entropy (8bit):5.225501775126988
                                                          Encrypted:false
                                                          SSDEEP:12:o4W7yQSuA5Q0ZAFXYFP3oZjAjwMphMpYNS75qyR910OUGyy:o4sSuASFFuPYZj2py2N0syR9apGyy
                                                          MD5:80DF0F8F1C0B01912035B8EDBEE3FCA4
                                                          SHA1:A375BB2019091745C5A65CFD6CCC13F3459395FC
                                                          SHA-256:2DCEAA5F2B3661B8BBFC8C3EB4C8AA9464D1A113C53375A0B23618CA32F98EAB
                                                          SHA-512:7C4FFBB64965074667987D88E740046DB9BD17916A6D6019EBBCAAD441A7AB07E88A29E9FB5BDF07C6F58AE19120935EBCD650D0F9B03DC3E969911181749002
                                                          Malicious:false
                                                          Preview: [Driver Type]..USBXpress....[Driver Version]..3.3....[Product Name]..Silicon Laboratories USBXpress Device....[Company Name]..Silicon Laboratories....[VID]..10C4....[PID]..EA61....[Relative Install]..Relative To Program Files....[Install Directory]..Silabs\MCU\USBXpress\....[Install Subdirectories]..x86..x64....[Install Quiet Mode]..Off....[Uninstall Quiet Mode]..Off....[Copy Driver Files]..No....[Remove Copied Files On Uninstall]..Yes....[XP_2K_2K3_VISTA INF Files]..SiUSBXp.inf....[XP_2K_2K3_VISTA Driver Files]...\x64\SiUSBXp.sys...\x64\SiLib.sys...\x86\SiUSBXp.sys...\x86\SiLib.sys....[XP_2K_2K3_VISTA Catalog Files]..siusbxp.cat..
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\C3C84A4C\E1510A13\SiUSBXp.inf
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):5.224754517663399
                                                          Encrypted:false
                                                          SSDEEP:48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
                                                          MD5:BC384072A8A9F073B51EF98ACF303D5B
                                                          SHA1:30235521EB314146B1FD71B67F3CE7D920E2668D
                                                          SHA-256:0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
                                                          SHA-512:7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
                                                          Malicious:false
                                                          Preview: ; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\C9AB7ACB\7AF51026\cie1931.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:08:09 15:39:41], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):336534
                                                          Entropy (8bit):7.115911162455732
                                                          Encrypted:false
                                                          SSDEEP:6144:GI2tAK++2lUccb5UeseFVYp9WabwF+3bbveA:GI26Kl2lURb5UeseFIWabw83bbGA
                                                          MD5:A4EC7C5FA49097EA26788ECF321A50D0
                                                          SHA1:087058EFA3499B861E24C32A6EB5B86C86470935
                                                          SHA-256:CA503EF7FDD964353860C55ED9924F9F02434D07B2A075E8E477CAFBAEF195F1
                                                          SHA-512:91D99DF6CB4F2DF763C6F9CA59DE45AF3647142F371BFCE672519523285EF94F57403617EC37806F3E131E682925AC8AC12B2C381306C2E5BF5491FA98DD0260
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2013:08:09 15:39:41............................@...........@...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI;..`....x.v..MjVIoQ.p.a...a..Z........#...8.5.~m.sO...?.d..t~1...\...8
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D2758F69\B65B8ED4\cie1976.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:05:23 17:15:12], baseline, precision 8, 1600x1600, frames 3
                                                          Category:dropped
                                                          Size (bytes):313463
                                                          Entropy (8bit):6.814020649307973
                                                          Encrypted:false
                                                          SSDEEP:3072:xzqzFaS2L8hls4H5oU4+6h/qeGVra2FA6nZqWTs9MRS:xzqzFp7ZoA11a2F/n1T3S
                                                          MD5:E6F16A7651B2C498F5506220CD24B3F7
                                                          SHA1:A1463B7A75A1309135F086CD026A334439EE624D
                                                          SHA-256:BC3CD3B0F623353B0067F670DA41E5639E2BF722954A67D3737E7CBBF39F6291
                                                          SHA-512:F66867FA36BA8BB34690FECACEB9FFB07E966B61D0994C19B5E1A1D637C7D3393E5B313C3F48FC03743E0E0F7BF998B9C3E51203F8160EA2C08CF87F425BC3AA
                                                          Malicious:false
                                                          Preview: .....WExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2018:05:23 17:15:12..........................@...........@...........................................&.(.................................!.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.LH.I..RR.(..&..'...
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):20469760
                                                          Entropy (8bit):6.646788174507154
                                                          Encrypted:false
                                                          SSDEEP:196608:r4Z+O+3MQUGqcJ8g+QwA9Nst9zmJemKD:r4xJGOA/Ooe7D
                                                          MD5:4CB8BE08741CF33831104499F1240830
                                                          SHA1:ACE76BA4ECCA1A4CEA87CFA539F60E969258DBA9
                                                          SHA-256:26A4B2A211FF8078C7E232A1AE4290A92BD0DF171E5416CBC97BC3B4C3379681
                                                          SHA-512:37FEF919B225EBB1E78E36A91C3A2D1530B47F65B8226B07BB9A86AEFD1B0F7889EC05CB731EBE2AFD2B346456B3FE5AC7AC95682B788366F3C5977E2B1A4D26
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, Author: Joe Security
                                                          Preview: MZP.....................@......Pjr......................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L......`....................p......d2............@...........................:.................. ...................0..`....p...J... ....q..................@/..b...........................`...................................e...................text............................. ..`.data....p.......j.................@....tls.........P.......>..............@....rdata.......`.......@..............@..P.idata...P...p...L...B..............@..@.didata..p.......f..................@...
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D532E401\20073942\mdd_0.ttf
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:TrueType Font data, 15 tables, 1st "OS/2", name offset 0x30a0dc
                                                          Category:dropped
                                                          Size (bytes):3189464
                                                          Entropy (8bit):5.995760690515092
                                                          Encrypted:false
                                                          SSDEEP:49152:aKGJGTV0L61KRCn7GvLkNrxCQ4Skrrlh67iPFfR:XGJGR0L3k7AhrrltR
                                                          MD5:134EA9D05DB33ADF680B8440F715CCF9
                                                          SHA1:3122FD8759ACB7562A98F6349EF0E2E46A018895
                                                          SHA-256:70F760EE31BB569EC53E33B44A699643898DC8C65B3034E370953AFD1E63964D
                                                          SHA-512:C512C3F68EB90C5A6D78D2F00559A42CE492131F0CC6B18A5483B57E906793EFAFD25785F0836483214333AA9E77960DD6C6F32FC8292178644FC9E4D2B91A9B
                                                          Malicious:false
                                                          Preview: ...........pOS/2...4...x...`cmap.:.....\..r cvt ............fpgm.!Y....|....gasp.....0......glyf4..>...$.*.head.h.........6hhea...m...4...$hmtx............kern>.B..0......loca(..h........maxp.......X... name.*.^.0......post.....0..... prep...)...................._.<.................."m................................+.................................'........./.............................$.......z...>................).|.........1ASC.@.............D............... .....K.........C...E...g...................:...M...M...........@...R...E...`...........................................E...E...............m...........................~...........W...E.......~...........................................................N...`...N.......i.....1.........w...........T...........B...B.......B.......................f...t...W.......{...........}...q...[.....=.[.......E.......|.....&.U...R.......n.......U...U.....1.....E...5...U...Z...............m...................................................B..
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D83B2FF9\7AF51026\tm30image.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2015:12:30 17:35:06], baseline, precision 8, 800x800, frames 3
                                                          Category:dropped
                                                          Size (bytes):94892
                                                          Entropy (8bit):7.270988868597474
                                                          Encrypted:false
                                                          SSDEEP:1536:s8c3FL8w+sqCi2MhzmZRRgFwHXbGZC17CFIQTUH4dlqUtIeKFwWIQI5uDKRID:s8MF1hinpmZRR0WXqZC17CFV4YdcTeKX
                                                          MD5:628BA21B5C6B2759EAE8A66A6BE2C6C3
                                                          SHA1:349D8736B69DCBB1A0C58736B5006E19737D2144
                                                          SHA-256:871AF5869E6B0D8AAD4EE8B45AA02B4349FE0BFD35B0B6960DC7C177E33DB05F
                                                          SHA-512:70FDE4CB2C719F10B6B407FDB5453B2D7CD672F3FE3F8185CC86B988FC94A2680E8161E382DAF2C99F04ECA0654A6E1DB38FF0D41A672928FEC508E50649CBD7
                                                          Malicious:false
                                                          Preview: ......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2015:12:30 17:35:06............................ ........... ...........................................&.(.................................z.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?... C..X.-.."....8Y.0....5..H.j.T. K..3j#T....e.9..Br.,.D.'".....x.r..\..8Y...nEr...f..!...NK../.........M...aD)..Y.6..A..K
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\DAA0442\526B362B\LICOR-start.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 600x360, frames 3
                                                          Category:dropped
                                                          Size (bytes):20110
                                                          Entropy (8bit):7.456114321529859
                                                          Encrypted:false
                                                          SSDEEP:384:NJ22ogJO6LBHPVzp7/C5Xy2bbd4632YQdkA4lliVhU:kgJO61NN0Xykbd4IQ2A4lliVhU
                                                          MD5:DB5050170386F50D5268871E82F8CF49
                                                          SHA1:269AD18CEC7382CE70192A9E9805324EE50889A9
                                                          SHA-256:C3242691970CAA16C3508D08309EEAEB38310AF944EB05CC51FD32ED31F9D14B
                                                          SHA-512:70C31CF3ECD273AB431F7A92BA7D44AC57ADF9B49B8C2A10C2A8180A26ADB6CE8BE156E2412336B1FC434C46381BB95BF1A98D682B26275A3F2433CE83AADBB6
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C.......................................................................h.X.............................................Y............................!1..AQa.."2368Vqrsu........7BWtv......#5b..$R..&C.DSTcw.....................................E.........................!1.AQq....234Ra......"STr..6...#Bb5...$C..............?..L....................................................................................................................................................................................................................................................................................................................................................................................$.&,...kz..."..g.Y..$y~..t..-4....t.rE..E3l...E.S5Dq@9.u..[...9A.d.7tk...O.....v................Q.E.o3...c....x..*.q...u./...>....].m.U...x..l.s..m.t..2i.<q.g.O...Q.u.nH.i.XD...-.g..m...7.....j})...
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):90112
                                                          Entropy (8bit):5.9593050226304385
                                                          Encrypted:false
                                                          SSDEEP:1536:EFrG2x+yr66sN/Cnj3sxacCtmkAdheNcief1n9JNABxojxiM:E1G26wjNtkT9JaBijU
                                                          MD5:8D32BE58B5F5BD7317628BF6BE577DB7
                                                          SHA1:C43BCE281CDB08C4B36D7C15B2817C901B75A9EE
                                                          SHA-256:4CB634E37C2622AFBCDDF706868F4E992DB59B7BBB6F99820EC636307F833C32
                                                          SHA-512:DB27E8DD5361424D98C4894B8D9163CE88A51F31F343C8474CCEB30C353EEBFBAD92F2A252B299E7E52B203CB69388E875CFE5680BBA36D7ACB807F955D0EC77
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I+..(E..(E..(E...8..(E...(.(E.?'...(E..(D.(E...+..(E...?..(E...9..(E...=..(E.Rich.(E.................PE..L......M...........!.................n.......................................p.....................................0.......l...d....@.......................P..P...................................8...@...............H............................text...E........................... ..`.rdata...7.......@..................@..@.data...$.... ....... ..............@....rsrc........@.......0..............@..@.reloc.......P... ...@..............@..B................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\E379E83C\7AF51026\CRI2.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=12, height=945, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=945], baseline, precision 8, 800x800, frames 3
                                                          Category:dropped
                                                          Size (bytes):317756
                                                          Entropy (8bit):7.8934485714815565
                                                          Encrypted:false
                                                          SSDEEP:6144:mbVolEvG4/Rkez+lh6MLh/kRG2x2yiQpWMJGzxBYDH:GolEv6ez+SY2vpgYDH
                                                          MD5:F41266D03391E18B49F781EC376AE02E
                                                          SHA1:776BD803EDA70C5463F595B670A17F1CBEC3045E
                                                          SHA-256:D6F4C7DF131CEB1357BF951E2AF27349A583D53500A9CA0D60BDF2F0202DE8D6
                                                          SHA-512:0D6D6D0B0F01AFE5585E7011F19ABE85305418819C8F319CF13E0CC1591C9A462E8388C5C3F9EEC4D8190C080BA69E075784047A9E9C1CF7CE96AAD22135FFA4
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.......................................................................................................(...........1...........2..........i............. .........`..'....`..'.Adobe Photoshop CS5.1 Windows.2018:08:14 11:26:55.............0221....................... ........... ...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.IX.....C....ql............l..i)......-f.G.[k....@.jn.l
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\E5444EFD\CD0E66BD\LI-180_Log_Example.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with very long lines, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):3750
                                                          Entropy (8bit):4.008741802403102
                                                          Encrypted:false
                                                          SSDEEP:48:+8OFBBLkDlmXEhePfniR+sZ5URhyfahrXp7zfBSLnJ+PnshS6CI+zRI7yjShRhxd:l0Rvni6RbpXfCnISCdnwX/JU9kwbC6He
                                                          MD5:6B725689715D05FF07DDD4446546AE98
                                                          SHA1:E6393831097644DA12EE0CEEFE2C4E3FFD60CD7E
                                                          SHA-256:6BFED87E667BACB00FB1BD98AC564E4A43A120679BE91378C485FEDD5D91A7FE
                                                          SHA-512:9C3A3D4632B9E0076F61966252480068B3343F709F5A923E84D70DEA2BAE21DD9500F4B6146B048F7092333BFDCE9B78EF4D79AB49BD8359FC5D572A6CFC80C5
                                                          Malicious:false
                                                          Preview: Model Name.Serial Number.Time.Memo.LUX.fc.CCT.Duv.I-Time.x.y.u'.v'.x10.y10.u'10.v'10.deltax.deltay.deltau'.deltav'.LambdaP.LambdaPValue.LambdaD.X.Y.Z.S/P.Purity.CRI.R1.R2.R3.R4.R5.R6.R7.R8.R9.R10.R11.R12.R13.R14.R15.CQS.GAI.TLCI.Rf.Rg.PPFD.PFD-UV.PFD-B.PFD-G.PFD-R.PFD-FR.PFD.Pct Flicker.IRR...LI-180.C16M0094.2018/06/07_18:38:57..543.148682.50.478500.5279.000000.0.002312.810.000000.0.337866.0.350264.0.207044.0.482942.0.344412.0.343248.0.214248.0.480429.0.000139.0.004689.-0.001705.0.002343.449.000000.13.986156.564.000000.523.924194.543.148682.483.612244.1.822421.0.064443.72.989456.71.441299.76.929138.79.267715.73.732475.71.476006.67.393066.82.017883.61.658089.-16.677534.43.856194.69.527214.42.825092.71.514412.88.933922.66.551353.71.674065.81.703079.50.969234.70.737282.94.565559.7.421987.0.007622.1.738674.3.647980.2.086047.0.279896.7.702174.0.000000.1.674243...LI-180.C16M0094.2018/06/07_18:39:02..569.244202.52.903736.5288.000000.0.002364.780.000000.0.337633.0.350170.0.206922.0.482862.0.34
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\ECC34BEC\3EF45B9E\ANSI_Ellipse.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1004
                                                          Entropy (8bit):3.811029766434935
                                                          Encrypted:false
                                                          SSDEEP:24:cXRbzjOJi/CG1wwHPINYdBvmCQI9MSDVG:eRfCJi/CGVSY7x39P4
                                                          MD5:30638861125319A8EB54E0F75F953AD5
                                                          SHA1:8091B23543DE04CA3769A9C913C0AFAFD3191BC3
                                                          SHA-256:F6DFE926CECB9139750FC181961260E75817587C353BC525A7E018A2A571DCB1
                                                          SHA-512:3175EAFF7FF111EEBDE48459CDCEDBDD7927F3B0FFEE0B29B53A932F51007F19927E8448B4D31F31D0D95312273511C752E7DD0BC7634EFE212C578EC84DC3ED
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377.......E10.......0.4813.0.4319......0.4562.0.426......0.4373.0.3893......0.4593.0.3944......E20.......0.4562.0.426......0.4299.0.4165......0.4147.0.3814......0.4373.0.3893......E30.......0.4299.0.4165......0.3996.0.4015......0.3889.0.369......0.4147.0.3814......E40.......0.4006.0.4044......0.3736.0.3874......0.367.0.3578......0.3898.0.3716......E50.......0.3736.0.3874......0.3548.0.3736......0.3512.0.3465......0.367.0.3578......E60.......0.3551.0.376......0.3376.0.3616......0.3366.0.3369......0.3515.0.3487......E70.......0.3376.0.3616......0.3207.0.3462......0.3222.0.3243......0.3366.0.3369......E80.......0.3205.0.3481......0.3028.0.3304......0.3068.0.3113......0.3221.0.3261.............CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.463.0.42.0.00258.0.00137.57.17..3000.0.44.0.403.0.00278.0.00136.53.1..3500.0.409.0.394.0.00317.0.00139.52.58..4000.0.38.0.38.0.00313.0.00134.54..5000.0.346.0.359.0.00274.0.00118.59.37..6500.0.313.0.337.0.00223.0.00095.58.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\F28C57DF\B65B8ED4\chart_cie1931w.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 663x654, frames 3
                                                          Category:dropped
                                                          Size (bytes):52016
                                                          Entropy (8bit):7.671803743250698
                                                          Encrypted:false
                                                          SSDEEP:1536:HQeswjrRRDzYtzY04Q1lIeSqDye7R6CvZJz+75:wbwjrRRDzY1Yjq7SQ7RjvZJzW5
                                                          MD5:5A5A18D04A1E20512F32E8C21F286E4A
                                                          SHA1:5193582C703AFCB9FFFB84C46B6837BBE9026BE0
                                                          SHA-256:827E3E67CD174BBA9A30FB11F0E0419DA0384B84CCD2050E6246701B505FAEF9
                                                          SHA-512:DB5B18AA3358736EED43F9EE3F3284AB15DFA22606FFBB7CD278036BAD380F91F8FFD1F07AC2CB6D7AE4C879E7369716A61E3EED85AEBF09B742811172107434
                                                          Malicious:false
                                                          Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..4....j..i.)....gkxf..#,v+..@.&.....]{V...x........k.j.]8...9.3..p1]/.#..?.o.......h....%.........k.h........C.....X..G.#..?.o.......k.h..*...w.........c......`........,o.U..<......7.......4.
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\F4ED2515\3EF45B9E\ANSI_2011.xls
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):881
                                                          Entropy (8bit):4.0063232350310995
                                                          Encrypted:false
                                                          SSDEEP:24:cGIV0UVuKaZuTAQaQubrOcHge3vQTDVz6y:eVzVudZuTOQublB/W1z
                                                          MD5:ADDCFE247A6E035209CCCBD99F699EA1
                                                          SHA1:764AD762AE4E1A063F57C2C8E2D18AB0DC5141EA
                                                          SHA-256:505C3D93C19A8C64D5131AB94E1CBD77BDA4EF1A1B7187D731510C2CB5DFD3A6
                                                          SHA-512:9A77CF8974BA731D8436C9E1F4B0B1D8990B8733BE86A26566808AD134B1B0E6EB4A599CF7AE7037BCD8878906548310F7686A024DD88DB7E507CB983DB97C55
                                                          Malicious:false
                                                          Preview: ENERGY STAR ANSI C78.377-2011.......E10.......0.4811.0.4315..0.4561.0.4259..0.4373.0.3892..0.4591.0.3941..E20.......0.4561.0.4259..0.4302.0.4171..0.4149.0.382..0.4373.0.3892..E30.......0.4302.0.41713..0.4003.0.4034..0.3895.0.3708..0.4149.0.382..E40.......0.4003.0.4034..0.3737.0.3879..0.3671.0.3583..0.3895.0.3708..E50.......0.3736.0.3879..0.355.0.3752..0.3514.0.348..0.3671.0.3582..E60.......0.355.0.3752..0.3375.0.3619..0.3366.0.3372..0.3514.0.348..E70.......0.3375.0.36169..0.3205.0.3475..0.3221.0.3255..0.3366.0.3372..E80.......0.3205.0.3475..0.3027.0.331..0.3067.0.3118..0.3221.0.3255.........CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.459.0.412.0.0027.0.0014.53.7..3000.0.44.0.403.0.00278.0.00136.53.22..3500.0.411.0.393.0.00309.0.00138.54..4000.0.38.0.38.0.00313.0.00134.53.72..5000.0.346.0.359.0.00274.0.00118.59.62..6500.0.313.0.337.0.00223.0.00095.58.57..
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\FC8C594\7AF51026\LICORC.jpg
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:08:07 16:10:55], baseline, precision 8, 424x389, frames 3
                                                          Category:dropped
                                                          Size (bytes):65664
                                                          Entropy (8bit):7.563574997001168
                                                          Encrypted:false
                                                          SSDEEP:1536:J3UYDQO5/EOYE+HZYS+up2wvGon6fR93oV:mk5JU5YS+uN+9s
                                                          MD5:A57E8C6BB8787217316ACE238BDFF43A
                                                          SHA1:03C311EF7213EF6219391E1DEE6BEE781C32B97C
                                                          SHA-256:C339438B62D436692A6363693799D818CEE49F043EDE20C7E06DF1E4947855EB
                                                          SHA-512:48CDF60EABA0BC8AF560E3B4E75481EE0EDCA7FCB763B63FD3298883676AA2E92936E537891DC48ED5230AD75AB48EEF3AD9395A40EF889FE74A03BEA42F271D
                                                          Malicious:false
                                                          Preview: ......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................z..'....z..'.Adobe Photoshop CS5.1 Windows.2018:08:07 16:10:55..................................................................................&.(.................................L.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$...L..%......>.JN..s,?E.....De......$..J.s].>F.Y.S..ZI....IIRI$...I%)$.IJI$.R.I$......RI$...I%"........).w+..y..U7..s.%(p.(...i.?...Nl.~p....)..h..
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1340928
                                                          Entropy (8bit):6.677299856016359
                                                          Encrypted:false
                                                          SSDEEP:24576:89mKmMTfYBbuMNX9PnKMHxXgrptvZzDMbxBqSwY1raig5CUd1t:89mn1buMNX9yChIGbxUSwr57d1t
                                                          MD5:57C34F9689A69BE0C1CD7F6FF3FDA546
                                                          SHA1:54F0D3CB9693D8937AA93301AC66D25CDEA9B628
                                                          SHA-256:2C2095721E9E7B3CA68D08D5F3D6E0528B8BCED9A45CEA638CF4B8212E9B139E
                                                          SHA-512:01C95F082FD71DAD1BC686F37B7CA06724936B2E02294147EEBE384910809ADC8D802D89016CFA423C1181D531CE6C8D0AF4C95F633D8AE8D6AAD3B10C842F4D
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................|............... .....Q.........................0....................................... ..O.......|9.......Z...................@...............0..................................................^....................text...\........................... ..`.itext..x........................... ..`.data....L... ...L..................@....bss.....S...p.......F...................idata..|9.......:...F..............@....didata.^...........................@....edata..O.... ......................@..@.rdata.......0......................@..@.reloc.......@......................@..B.rsrc....Z.......Z..................@..@.............0.......v..............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\7zS7952.tmp\mia.lib
                                                          Process:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1335758
                                                          Entropy (8bit):6.607116387652834
                                                          Encrypted:false
                                                          SSDEEP:24576:kKLeEbW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ5e:jLeEbasY6DwOBfrnvV7UeWtPe
                                                          MD5:2957FB70B1A610B54D98CC4FB2F8DCEC
                                                          SHA1:68319EBF22A4B7D3B52B2E1198CF61535D024E24
                                                          SHA-256:30B0CD1B04F0B39251614DB60C5F9AD7E98E4201B46CDF4C850942A14F03ECD0
                                                          SHA-512:873CCADABA7A9A639328B42360166BCC427C7298FF743829C3BE92F0FBD9EF8D000F64B799765EB80D42F8BFC5196BF1083752D33840359909E9DA740B15C489
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ad.. ... ... ....g.. ....q.. ... ... ...X... ...X... ...X... ...X... ...r... ...X... ..Rich. ..........PE..L.....8R...........!................3=.......................................P.......g....@.................................<...d................................,...................................................................................text...-........................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...............................@..@.reloc...J.......L..................@..B................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\IAW4D1E.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:MS-DOS executable, NE for MS Windows 3.x
                                                          Category:dropped
                                                          Size (bytes):1409
                                                          Entropy (8bit):2.1089598099838787
                                                          Encrypted:false
                                                          SSDEEP:6:HRMU/KehW3pFZZdCPqxdHHEpKwJ5zCQw5j6lsylDdHHEBBFdHHEr:SeoFMPqxd2t3zJlld0di
                                                          MD5:F6E9D9EF3E234E5350B797657E804EFE
                                                          SHA1:7E2410D1844AF6DA5EABD9BDE7F5D21727CF4344
                                                          SHA-256:7540C6BB20E8712D49553B04DAF3EBBF63BABF890DA60B307EAD16AC8F3FC697
                                                          SHA-512:9643E3DF67B0E2311F2DCCE4EA09C47165AD16E13CF80C57322E2CF90A106388229EFFFDDECDACF2257518F8D945110DB53B2755BE17709B16E4A4FAF1BBE210
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This is a TrueType font, not a program....$.Kiesa.NE................................@.@.t...................................H...P.,............@...P..........FONTDIR.mdd_0......mdd_0.ttf......FONTRES:Droid Sans Fallback..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\lang.loc
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):161742
                                                          Entropy (8bit):4.663134233193565
                                                          Encrypted:false
                                                          SSDEEP:3072:VklAVePDH8KN74yCpNadsnh6j4g9hmzqJqqtn:C
                                                          MD5:04B0ED6BC3D34D2A67F2C81A66C9E57F
                                                          SHA1:7B3B7FBBA050195C4B170670CEB3F70EF4CEC901
                                                          SHA-256:D11AC6568E18FEA4BEADE649AE12F79A4D7B0572BDA22C5732242E35078ED42F
                                                          SHA-512:CCA5304934E00A435E4FCE5FB6C5C6A3E3D855F48111F3CFB3DED00F6249B9F919C3F052900FE2AFEEF0A3C9D6DDD768BA26369334F149562EAA288F4049CF5F
                                                          Malicious:false
                                                          Preview: Please install the common controls update from Microsoft before attempting to install this product...Setup resource not found..Setup resource decompression failure..Setup database not found..Runtime error in install: ..bytes..KB..MB..Attempting to get value of undefined variable ..Attempting to set value of undefined variable ..Copying: ..Unable to copy installation data to local folders..Downloading Web Media: ..Unable to download installation data from the web..Extracting Web Media: ..Unable to extract installation data downloaded from the web..Please locate your original setup sources to continue operation..Original setup sources required to complete operation, sources not found..General setup failure..Runtime error in setup script:..% complete..bytes received..InstallAware Wizard..InstallAware is preparing the InstallAware Wizard which will install this application. Please wait...Retry Download?..Downloading of installation data from the web has failed. Would you like to try again?
                                                          C:\Users\user\AppData\Local\Temp\mia.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):62942
                                                          Entropy (8bit):5.50721751851534
                                                          Encrypted:false
                                                          SSDEEP:1536:P/PsPRMaGVrW4N9sCMO8qsusKK+2yKmeivC6SSqKa6Pqiiqzq:PHkGVy4DsCMO8qsusKK+2yKmeivC6SSu
                                                          MD5:6ADFD0B8EF2EFEDC490D196722D6CED5
                                                          SHA1:330FBEA87954910F2807B4DD686E011D2A5700D4
                                                          SHA-256:E5AB09A6DA49A874E46E890F075E47825BC6A60A3B1122186F8088A5039E05AE
                                                          SHA-512:AB7458BFBE2968279AA43443E4121F09E2D9F75498FF56EFF912FE6DE2B352D1B87EA3ED69EA777422AE260C6C2DF46EE73F4068A64BC0518EBB7117C4F7DEDB
                                                          Malicious:false
                                                          Preview: .Comment..Comment..Code Folding Region..Code Folding Region..Comment..Code Folding Region..Comment..Code Folding Region..Comment..Set Variable..Set Variable..Comment..If..Set Variable..Set Variable..End..Comment..Code Folding Region..Comment..Code Folding Region..Comment..If..Display Dialog..If..Terminate Install..End..Display Dialog..Comment..If..Set Variable..Set Variable..(Un)Install MSI Setup..If..MessageBox..Terminate Install..End..If..MessageBox..If..Reboot and Resume..Else..Terminate Install..End..End..Set Variable..End..Comment..Hide Dialog..End..Code Folding Region..Comment..Code Folding Region..Comment..Code Folding Region..Comment..Define Component..Comment..Comment..Get System Settings..Get Folder Location..Get Folder Location..Get Folder Location..Get Folder Location..If..Set Variable..End..Get Folder Location..Get Folder Location..Get Folder Location..Get Folder Location..Get Folder Location..Code Folding Region..Comment..Code Folding Region..If..GoTo Label..Else..Comme
                                                          C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):76728
                                                          Entropy (8bit):6.254581045679638
                                                          Encrypted:false
                                                          SSDEEP:1536:edjdN2c6vBVoJFLVbRv4e1R42TtHT/tNzxU:edNmVGFp9B1TtHT/tNzu
                                                          MD5:980ABD131E4B45DC8ED554D3EE0C2044
                                                          SHA1:B6041667248E9AD0CED547B33C16BF1D8A495661
                                                          SHA-256:0D75323B0EEFE651374099234B718DA70FE3C160D62BD73B49579CB07C4DDE4B
                                                          SHA-512:0429B94DD0871CB8EDB02DDDDEF2E5D21D22B09D96DCB1CF937E35B2D085742CEBDF121591902FD0A686078F9F241C5551892D1BBFC15E2B094D39BEBA159C5A
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.yW...........!...2.....h...............................................`......O$.............................. ...x............@.......................P......................................................."...............................code...'........ .................. ..`.text...l....0.......$.............. ..`.rdata..............................@..@.data....R.......N..................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\mia1\LI-180_Installer.msi
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\mia1\componentstree.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33309
                                                          Entropy (8bit):3.3772470427001995
                                                          Encrypted:false
                                                          SSDEEP:768:pJHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfTE:phXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dt
                                                          MD5:F1BA2D0A20CF4290FCDB45B3CF54840C
                                                          SHA1:EC808EBC2563D3D00866BDE0AFF4059C3C995C03
                                                          SHA-256:F27A9B4D468632780547E3FC26A59993B3108A18CB096852A302577BFA4C6F2F
                                                          SHA-512:C4073CE6F58447B858901389D52BD479C888370CD6328499B516B9C919A728C4099F00DFA19005AC65BC986A79FF2A9A0E4CAAE9BCC0A5E3A72747696B4BC126
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia1\componentstree.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\destination.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33184
                                                          Entropy (8bit):3.358519824453405
                                                          Encrypted:false
                                                          SSDEEP:768:BxHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfh:BpXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Ds
                                                          MD5:C92448DB4098F4A3095C0BF94500D2D6
                                                          SHA1:D5F0AAA3C7E55B085D0D57C13499E07AF30354CF
                                                          SHA-256:799B7F02BA036F90052545DA51D2807A0CB65B657C36FB26113BDE086E40D929
                                                          SHA-512:830244E76DBD3CE333A540FB54470F99FC295FCF00CF2D2586FA28094B1A2EB0A5B98EAFBD82A78AD37635E5424FA84C428630B5D42E322E885A846CF0EEE5EE
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top.|.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia1\destination.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\finish.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):161230
                                                          Entropy (8bit):1.999222422314916
                                                          Encrypted:false
                                                          SSDEEP:192:tty+Dfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4CWNux1LAwpk:tbbI/T4+
                                                          MD5:F45B64FF519D1538DCC250AA3149AC4D
                                                          SHA1:CF1B58E06FAA1D7F7239C648E64CF4DE1A1CFDF2
                                                          SHA-256:15958250C4F342B9ABF75E7DAA1AA5BBD8366BA6D57B23E0A690FD0F2F703F72
                                                          SHA-512:ED61591FBE14B7A3ED798EFAA4D577BB0AD620AF0996DEA9E96A4A31E024C17F80B561133B97D08B1E41CF286F9B04214C0FF565D6A1DD59A9763E516B0D2410
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..u..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.DoubleBuffered..Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...GlassFrame.Bottom./.OldCreateOrder..Position..poDesigned.Touch.ParentTabletOptions..Touch.TabletOptions..toPressAndHold.toPenTapFeedback.toPenBarrelFeedback.toFlicks.toFlickFallbackKeys..PixelsPerInch.`.TextHeight....TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|
                                                          C:\Users\user\AppData\Local\Temp\mia1\finish.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1938
                                                          Entropy (8bit):5.044225786332962
                                                          Encrypted:false
                                                          SSDEEP:24:vuikSi+nfi0ZiFuEai/pZSruicvSi+pipUivuNsIi/pEaiDatfi/pTvSgREii/p5:v5ExAGVPbu1ZRMfkf3faWYxWqQch
                                                          MD5:A5066097B928A2A87318FF5D74084344
                                                          SHA1:7041B5D87E79ED362121DC5E29751960D6D8B1FA
                                                          SHA-256:418DA2B3B60D642FAB7C40E6366DC8CA53C8E4BFD761083EB3E2425682BBD0E4
                                                          SHA-512:DC8FC4841217FC503DD94060E1D151552022CDDCB115BE5F4317FF3C8686AACA2A6931A08EB5005B00D3DDA848D90236A2ADE1E4B98BCD4F6C01B6552F70BF63
                                                          Malicious:false
                                                          Preview: .IF (checkSuccess.Caption = COMPLETE) THEN textComplete.Visible := True;..IF (checkSuccess.Caption = REBOOT) THEN textReboot.Visible := True;..IF (checkSuccess.Caption = CANCEL) THEN textCancelled.Visible := True;..IF (checkSuccess.Caption = ERROR) THEN textError.Visible := True;..IF (checkSuccess.Caption = COMPLETE) THEN RunNow.Visible := True;..IF (checkRemove.Caption = TRUE) THEN textRemove.Visible := True;..IF (checkSuccess.Caption = REBOOT) THEN RebootNow.Visible := True;..IF (checkSuccess.Caption <> COMPLETE) THEN textComplete.Visible := False;..IF (checkSuccess.Caption <> REBOOT) THEN textReboot.Visible := False;..IF (checkSuccess.Caption <> CANCEL) THEN textCancelled.Visible := False;..IF (checkSuccess.Caption <> ERROR) THEN textError.Visible := False;..IF (checkSuccess.Caption <> COMPLETE) THEN RunNow.Visible := False;..IF (checkRemove.Caption <> TRUE) THEN textRemove.Visible := False;..IF (checkRemove.Caption = TRUE) THEN textComplete.Visible :=
                                                          C:\Users\user\AppData\Local\Temp\mia1\icon.ico
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:MS Windows icon resource - 6 icons, 256x256 withPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 128x128, 32 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):102009
                                                          Entropy (8bit):1.439058677460756
                                                          Encrypted:false
                                                          SSDEEP:96:8fWSNWlsTzOmH4xjpREoc6klrV1X7sAtkqN2Afw+80KsbLootu+43pKdBKKirUEI:zlC6Fx9REoc6UrV1LsAtkqzoB+45Kd0C
                                                          MD5:8669CAD499B2FDD623A2219DA0EDF9E2
                                                          SHA1:1D41EC18DD60166CD34DE34FED5B19E778F99590
                                                          SHA-256:E47079863E0FAC451B02DDA76171729FF8EAD992281E003ACE30BA73237575A8
                                                          SHA-512:0F3720C1C46EEE10018A627B7CBD36C1630A8A9B1A97C5BBDE93CF38038BA265A200D0867338E14DED554D7565DB29FC16C45698476022CEE4F660DE6F061DEC
                                                          Malicious:false
                                                          Preview: ............ .....f......... .(...q...@@.... .(B......00.... ..%...S.. .... .....iy........ .h........PNG........IHDR.............\r.f....IDATx...].me....Q.b...e...E.!.!..>...#.y.)v...*..Y.........g.,.uS....]..V.f.dIZ..b...}.s..........y.3...3....kM..................................p.=.'.....rte...>q.[:&._.......#.........9....q-.|0.isn.Y.g......I..........0.`.X.9b.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a...vl...1.....O..1...=.]a.O.Q;/..=..$.(L.X.wg.\...........e.t.U .@a.....9.J..d.v~.]..1....T.|^...7........y^>.{..L...$.E.Z.o.....h+....ED.t...S_.yyM.n...g.....?...[....$.(L..i.7G...jI`......1.......yi+.F.......zc...y^n.}(.D...$..2.......N..^.. ""..{z......md=..?.......y........I.....rtk....b[!..._.$0.g....qmWK.7..#.$0.......k.9.[..].g.f....s.>......l.x8.....}.I.P...}.z.......6..0.)""..{{....Z.o......G....$.(L....'
                                                          C:\Users\user\AppData\Local\Temp\mia1\installaware.png
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                          Category:dropped
                                                          Size (bytes):1597
                                                          Entropy (8bit):7.871063017224323
                                                          Encrypted:false
                                                          SSDEEP:24:X93kpZjQLmEcxtIwWXPAGpKpkZcks41xdrqUaBdJbYfxpJgx7YWg/uLwdCnq:N3Yj8mEcxywiPrpKpNMdr07SxgSt
                                                          MD5:B7225A16DAF9DE1D514AEFE567FDF2F5
                                                          SHA1:D6A00C526C425FCD5EF49B0C87814F2CF476CB59
                                                          SHA-256:0E2DEFC9B470D3F9BD184D254493EFAD94EA0273C1FE17FC8FC651D47B01734E
                                                          SHA-512:31412603AE87F2B9C9DAD2D0BA64868105586D1778846DE5F1C14667C4292DE36FC193B54670BDF130019B0B42AB59EEF2C2D8672226BA755181FEA894BD9246
                                                          Malicious:false
                                                          Preview: .PNG........IHDR... ... .....szz.....IDATx.W.L.W...!..dl.'.@.10.a.....2.T'.....SD..-PK@t.....:53.... :#F.......|"...L....6 m)Lw........9...K.+.b...z.x........=...J.V....n3[.B..v[m..../....o0.L....Q...&...$~?%%?PG..S<..]...$.Z......O.3".k....m]..2S9..4,.k+.xf..k.F...V..4[Ec'K.2.2..PK.....H$..H.....kA...M..>.zs.....^.*..K"...j..:..Hu.T..Q.....N...y'.+9.dR.{..Xn....w.f...R.KQB.]z........6>..,.......q.%........;.,......U{.i....Z.....)._I..7..J.q..d)...CM....;...,R~.B.S...E...p[-O........].F...%..A.%....{.%.*...]Q..>.-..f..C..i.Q..+5.......A'~.....J...M.mtN..0..r.>.@K.....D...<...CI^#.-.P.}?R..M.-.7..GS...Z^9s..<6.....>......<..g.~.9....{]Ju..}`..Z(..ikw^.,)X..g...|G.LQ9A^...9pe....7d.......SE.Q..../nx.}_..F...$..I..K...o4.^ ..e.X.Q.H......&........Q..............\n....J......./...7.....E.9.....$...K..!...c.`.=.Jd.nq.n.W.Q...Q.#s.w._.d....u...Q].-U.N.J..&.O..=......a+.k.....%.$..(.....@`...lx.......tDC..=.{...^"...@.....\{;#.^...G.q./AA.
                                                          C:\Users\user\AppData\Local\Temp\mia1\license.rtf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:Rich Text Format data, version 1, unknown character set
                                                          Category:dropped
                                                          Size (bytes):8029
                                                          Entropy (8bit):5.0787285797616715
                                                          Encrypted:false
                                                          SSDEEP:192:6RMfWBgsh5jrcRUjFZ6Adb+3eGl83ykMfUaFW7W9nK7dLf0gurZ+2:Yush5jICj6AdRGAD4W7W9K710N02
                                                          MD5:6017828D717690DD90F7AB6BBEA202F2
                                                          SHA1:C24165A9B87075A6E71E95E58E2EEEB9C932811F
                                                          SHA-256:29B4BFB1AA7BD6B23CD4CC14E23AA8A3E5D9A3C6AAB66E93BBD419B23115728B
                                                          SHA-512:F7605379EC384DB19928C9BFA5168DBE45C718E2E885CAA8A5A412BB5CBCA49091481FC7D29018A44A41A54093A3524A168E16FD4471291A327152AD7F4A13E6
                                                          Malicious:false
                                                          Preview: {\rtf1\fbidis\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fcharset136 Tahoma;}}..\viewkind4\uc1\pard\ltrpar\lang1028\f0\fs16 END USER LICENSE AGREEMENT \par..\par..\par..\lang1033 This copy of LI-180 Spectrometer("the Software Product") and accompanying documentation is licensed and not sold. This Software Product is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. LI-COR, Inc. or its subsidiaries, affiliates, and suppliers (collectively "LI-COR") own intellectual property rights in the Software Product. The Licensee's ("you" or "your") license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement ("Agreement"). \par..\par..Acceptance \par..\par..YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT BY SELECTING THE "ACCEPT" OPTION AND DOWNLOADING THE
                                                          C:\Users\user\AppData\Local\Temp\mia1\licensecheck.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32515
                                                          Entropy (8bit):3.2392237095249325
                                                          Encrypted:false
                                                          SSDEEP:768:j2HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfE:juXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5D1
                                                          MD5:9A87495839CA4357F293308C86139F03
                                                          SHA1:0529F4612D004BAA1FE8806F6EAD5E78B3E76E55
                                                          SHA-256:C623B82A8BE3EAD16900164C09AFEE00215DC1749A6DE8D4F381CF983A3F5CEB
                                                          SHA-512:75F64D527924764598066D157C406FD18A00FA59EAB8D418724EF7E87B8B718EF57595118284710A08B17D7C287723AAF5F06383F877ADF77EFF7F7573AD665E
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..~..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia1\licensecheck.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):502
                                                          Entropy (8bit):4.896842553280578
                                                          Encrypted:false
                                                          SSDEEP:6:aHi6GKuMtrk86i6euMtrkeuN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+J:0IMtgfjMtgxINIkU3lkimkU3MIkT
                                                          MD5:D312F2FDC09193A04578D688A2CA292D
                                                          SHA1:54BD3AA4CC72E68FC613A4227CADA7AD702D795E
                                                          SHA-256:DB1C3A93A00A46C77F3E8D19C5DA4D42C54CE58C9EB71B586E512ABEE2D46967
                                                          SHA-512:A71514B0F31010F7BF23954BCE707A277CA765BC14DDED7D7870615528A7751E4B26E72BB826781BC4F57C2A7C75FCFB92C4BA781AAD58372CF6CECE39832D19
                                                          Malicious:false
                                                          Preview: IF (LicenseCheck.Checked = True) THEN Next.Enabled := True;..IF (LicenseCheck.Checked = False) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\mDIFxEXE.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1305600
                                                          Entropy (8bit):6.66768345397406
                                                          Encrypted:false
                                                          SSDEEP:24576:yIAaJZ7NOcdUT4OELlCRmLrxB4Swz+hLnNlAj4HdH:HcWgYfxSSwz4A6
                                                          MD5:511629FCCFB6C536A8F6FCBF4AA06401
                                                          SHA1:6931DE3FB845AF6CD30348108A98767268EF6200
                                                          SHA-256:65AD010679A748A7174ABE1C314E0F1AE78E7BE69DEC22F0357536F21399C68C
                                                          SHA-512:D51248F81789E8E2DEFB7B59E551B3FF705C8D8BB098AC66E7A4C7C9AF48855544BA44D6256F02052B6D525753A645E7EA601F421A5918446A231775F89E081C
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................h......\..............Q....................................................................O....P...5...P...T..........................................................................Y..H.......^....................text....k.......l.................. ..`.itext.. ............p.............. ..`.data....L.......N..................@....bss....PS...............................idata...5...P...6..................@....didata.^...........................@....edata..O...........................@..@.rdata..............................@..@.reloc.............................@..B.rsrc....T...P...T..................@..@....................................@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1340928
                                                          Entropy (8bit):6.677299856016359
                                                          Encrypted:false
                                                          SSDEEP:24576:89mKmMTfYBbuMNX9PnKMHxXgrptvZzDMbxBqSwY1raig5CUd1t:89mn1buMNX9yChIGbxUSwr57d1t
                                                          MD5:57C34F9689A69BE0C1CD7F6FF3FDA546
                                                          SHA1:54F0D3CB9693D8937AA93301AC66D25CDEA9B628
                                                          SHA-256:2C2095721E9E7B3CA68D08D5F3D6E0528B8BCED9A45CEA638CF4B8212E9B139E
                                                          SHA-512:01C95F082FD71DAD1BC686F37B7CA06724936B2E02294147EEBE384910809ADC8D802D89016CFA423C1181D531CE6C8D0AF4C95F633D8AE8D6AAD3B10C842F4D
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................|............... .....Q.........................0....................................... ..O.......|9.......Z...................@...............0..................................................^....................text...\........................... ..`.itext..x........................... ..`.data....L... ...L..................@....bss.....S...p.......F...................idata..|9.......:...F..............@....didata.^...........................@....edata..O.... ......................@..@.rdata.......0......................@..@.reloc.......@......................@..B.rsrc....Z.......Z..................@..@.............0.......v..............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\mia1\maintenance.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160624
                                                          Entropy (8bit):1.9662006432706152
                                                          Encrypted:false
                                                          SSDEEP:192:tdMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4Cwtq69wWnUgK:tfI/kwAgK
                                                          MD5:B3C9C9EE0C9C2DCB15CF24D5DF20F4F3
                                                          SHA1:3B1660EB617CB2751D9CCC79B8C025BD5A7B153B
                                                          SHA-256:23D6D6041B3025A8B1817B5FC455067B534AD91DCB19A1D09509A3AE55065CED
                                                          SHA-512:93C5B855AF462D9772754CB46307F5890735F7476D8ECF0F9CF213BC3A32EB4E19E3C48842A68F9D1DD29EAF2A8A2EE4712E917AB05BC121C18BFA77E3250811
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.\s..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8.....................................
                                                          C:\Users\user\AppData\Local\Temp\mia1\maintenance.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\prereq.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32639
                                                          Entropy (8bit):3.2633511856005843
                                                          Encrypted:false
                                                          SSDEEP:768:scHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfi:scXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dp
                                                          MD5:3B989C7730DF816A13A88B722A25B021
                                                          SHA1:882F64912D28ED7C1EE1D59333E934CC73E1C50A
                                                          SHA-256:9E7054257B4D608BC16547468B0E6D4AA06B0A0CF467CF76CD7ED169979E0B2C
                                                          SHA-512:36E42A53E3F4956DD87DCBF6E36B43E9210B8A5195684228CCF7C465ECB7105505EAFF01F705B8B4D48631E21C02B443AB871D84415A1597FC4B52B22D18689F
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.k...TPF0.TfrmDesign.frmDesign.Left....Top.{.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia1\prereq.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):744
                                                          Entropy (8bit):4.963019277603885
                                                          Encrypted:false
                                                          SSDEEP:12:qITMDIb6UIJTc6S6juINIkU3lkimkU3MIkT:qIMIb6UIJA6SsuINI53ldm53MIk
                                                          MD5:172D6845744A1EC7DC233E9335C5A47C
                                                          SHA1:F0E3CB9C55F0F0961EF496D3EBF532943FB155E1
                                                          SHA-256:7AEF8EF0D965D2AEDDDF2FBC2B99BA2A3E5E96517BCD38ADB1A3315456D16E6F
                                                          SHA-512:639D0D336EA949B877E12A0DB026FC3D085F3DD2B25A7C5CDCC8850CCD998FCA4364BB18D167454AEDB763793E9D251E08A1A3A06A46117FF0B5B2AE22E06643
                                                          Malicious:false
                                                          Preview: IF (checkWINST.Caption <> TRUE) THEN WINST.Visible := True;..IF (checkJS.Caption <> TRUE) THEN JS.Visible := True;..IF (checkDotNET.Caption <> TRUE) THEN dotNET.Visible := True;..IF (checkWINST.Caption = TRUE) THEN WINST.Visible := False;..IF (checkDotNET.Caption = TRUE) THEN dotNET.Visible := False;..IF (checkJS.Caption = TRUE) THEN JS.Visible := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\progress.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):43482
                                                          Entropy (8bit):4.168440625869399
                                                          Encrypted:false
                                                          SSDEEP:768:3JHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfR:3hXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Da
                                                          MD5:5C0175D2688D0942C2616E689B52C5F9
                                                          SHA1:200FE3D32B6A593538F61E3D1AA2A860BC40A2EA
                                                          SHA-256:00FD246E8C2E5C79A0753C5BFD0D37A21C1CC0B272312C127E0775DB94669392
                                                          SHA-512:02440C85404465F8FD590BF6AA5FA4FF315A34B39A9B958C73B294AC139B6C6D9BAAC0CD26A769E62480C547A71F98ECB70D6BBDCA4390F4347DBBC80E780AB8
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia1\progress.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):666
                                                          Entropy (8bit):4.809149901341814
                                                          Encrypted:false
                                                          SSDEEP:6:a3jF2duukAiRcjjuukTDoRcjF2duukTDQTjjuukA6uN82du+wg4RBN82dukU3ekd:csIrqar1sIroarIINIkU3lkimkU3MIkT
                                                          MD5:03D007FB3FC47A2F8CA6EB2C13881052
                                                          SHA1:3212C3FB7FAA97630F849AD7EBA205D90EAC7EE3
                                                          SHA-256:692786FB6BF3363DFDD0CDA8013986F4F63FD9209DA6BD1299CC8CF06275DF89
                                                          SHA-512:A2193DFBB22D9F8EFB3CFFD8F2E4021A3213667F13F218EF1AA9B1DD2BF3044AF1E71CFB19497762A386B6CFB841C4C642C739A52471556ED7C3877907D6EA9E
                                                          Malicious:false
                                                          Preview: IF (TestRemove.Caption <> TRUE) THEN CaptionInstall.Visible := True;..IF (TestRemove.Caption = TRUE) THEN CaptionUninstall.Visible := True;..IF (TestRemove.Caption <> TRUE) THEN CaptionUninstall.Visible := False;..IF (TestRemove.Caption = TRUE) THEN CaptionInstall.Visible := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\progressprereq.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):43116
                                                          Entropy (8bit):4.127536230542945
                                                          Encrypted:false
                                                          SSDEEP:768:yUHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibf/D:y0XQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dm
                                                          MD5:AF75C73B31B45D4797A326367B1A696A
                                                          SHA1:B2795FAA612F4BFAEDF79EF0DDC6CC7E43FB5801
                                                          SHA-256:F5BD968E1580C2B47D800867A237D4F90CD7465E38219836E7792094354CBBD2
                                                          SHA-512:9073543CBF566EB031E6EF257A670BD59535B568F2D5C480A4D9DF9470586234226EB232F8A18D64322477502FB3AFB14B2422827647B69CFD8AFB2CFD75E490
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.X...TPF0.TfrmDesign.frmDesign.Left....Top.w.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia1\progressprereq.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\readme.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32365
                                                          Entropy (8bit):3.210637703795355
                                                          Encrypted:false
                                                          SSDEEP:768:F2HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfMR:FuXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dn
                                                          MD5:8DB37E945737A642476551E6EA537ED5
                                                          SHA1:2579ECFFD229F167398337358778E032AAAE3E3D
                                                          SHA-256:4221122F990055367BE3AF2CCD9A8A6A28E4E8A8889B74BD543C70E96FF63527
                                                          SHA-512:461CD4C6F01A82AC1C6D97968AF1B3CCD6E5D5D8C76C5CDD92822869335C379E8DD07A562DF787232D173588D9DCBC1E3071A5E5BE873D02DE6744BEE599AA92
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Y~..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia1\readme.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):502
                                                          Entropy (8bit):4.896842553280578
                                                          Encrypted:false
                                                          SSDEEP:6:aHi6GKuMtrk86i6euMtrkeuN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+J:0IMtgfjMtgxINIkU3lkimkU3MIkT
                                                          MD5:D312F2FDC09193A04578D688A2CA292D
                                                          SHA1:54BD3AA4CC72E68FC613A4227CADA7AD702D795E
                                                          SHA-256:DB1C3A93A00A46C77F3E8D19C5DA4D42C54CE58C9EB71B586E512ABEE2D46967
                                                          SHA-512:A71514B0F31010F7BF23954BCE707A277CA765BC14DDED7D7870615528A7751E4B26E72BB826781BC4F57C2A7C75FCFB92C4BA781AAD58372CF6CECE39832D19
                                                          Malicious:false
                                                          Preview: IF (LicenseCheck.Checked = True) THEN Next.Enabled := True;..IF (LicenseCheck.Checked = False) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\registration.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32609
                                                          Entropy (8bit):3.2576929890359447
                                                          Encrypted:false
                                                          SSDEEP:768:ewVHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfg:ewdXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5v
                                                          MD5:357DC1A87B637A95C2255C15ABDB9765
                                                          SHA1:B41DBE26DB3C8F489E32096535E7DF8AF5F7859C
                                                          SHA-256:005829185AC1A56337D40D515C7E8DA84B06A8E7B7487477DE521861248645D0
                                                          SHA-512:ABBBD816EDDE10AF7612ACCF8858434BD9C17443B92CD7E3966F44B2F624822EE123EAD2DA7F1EF686D76D13FE7C4923F1E3460E0681CB9C239462638D14F677
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.M...TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TLabel.Label5.Left.(.Top.H.Width.8.Height...Caption..&User Name:.FocusControl..Name...TLabel.Label6.Left.(.Top.x.Width.A.Height...Caption..&Organization:.FocusControl..Company...TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a......................................................
                                                          C:\Users\user\AppData\Local\Temp\mia1\registration.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):576
                                                          Entropy (8bit):4.8398488933566055
                                                          Encrypted:false
                                                          SSDEEP:12:+GYMtg+YMtgdmMtgpMtgxINIkU3lkimkU3MIkT:+ffFmB5INI53ldm53MIk
                                                          MD5:FF697C2FFA89894EC61F9ADF6839926E
                                                          SHA1:25CA863E1866D72D2AB76F76B15A7705F2C0CD12
                                                          SHA-256:C8FDC1180440954E7773ABFA450D153194FA675B8B2764F0300C00A73C989BAC
                                                          SHA-512:A67389FBA944DEA454F7D4559911F745ADE10A8B3B5ED57A6741546AA4EF77FC47017BC7711A586A19EDFA3825517D78BA46A841B0AB7291B6145EA9B0E63A76
                                                          Malicious:false
                                                          Preview: IF (Name.Text <> ) THEN Next.Enabled := True;..IF (Company.Text <> ) THEN Next.Enabled := True;..IF (Name.Text = ) THEN Next.Enabled := False;..IF (Company.Text = ) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\registrationwithserial.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33341
                                                          Entropy (8bit):3.3842477874818355
                                                          Encrypted:false
                                                          SSDEEP:768:JdHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfM4:JFXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dk
                                                          MD5:8616C794648FD69FAC8F0F88EDB22E4E
                                                          SHA1:DDDFECF6EA3719E9CEF5C406FD4D525AF7D74A61
                                                          SHA-256:7E5099588AC9EB46983021CFDFCDDDBEFEBFE4CBD8388A531EDAD35FC3DA842D
                                                          SHA-512:B1288B55785B0CA40F331AE92460F213A1C8D77037D5ABA6BBBD74882024ABDC8985E10899F4476CFF64D83F424957B11FD0B759B537E2216DB4E146B1CD09ED
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.)...TPF0.TfrmDesign.frmDesign.Left....Top.v.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia1\registrationwithserial.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1096
                                                          Entropy (8bit):4.80637071596533
                                                          Encrypted:false
                                                          SSDEEP:12:+GYMtg+YMtgPt0YMtgPrYMtgP0ZYMtgPpDYMtgPuYMtgdmMtgpMtg6tkMtg63Mtz:+ff7kkKSHFmBBApVeN5INI53ldm53MIk
                                                          MD5:E30F9BD0EB3C6A3372F67E0F8886E28C
                                                          SHA1:B390AAEDCE02E0A1A031506EE73C313221367BBF
                                                          SHA-256:905BBFEDE6E19926541295E4599A14169CDC21392388DAE0EE1974A5C827D608
                                                          SHA-512:CBDCA01D6A8E060307DA35E6F5F5F52D691F0245E285548454B391543680817783CB443046263BEF5BC3B7A774C503771403FC5B76069F02ADD8A72972CE67F8
                                                          Malicious:false
                                                          Preview: IF (Name.Text <> ) THEN Next.Enabled := True;..IF (Company.Text <> ) THEN Next.Enabled := True;..IF (Serial1.Text <> ) THEN Next.Enabled := True;..IF (Serial2.Text <> ) THEN Next.Enabled := True;..IF (Serial3.Text <> ) THEN Next.Enabled := True;..IF (Serial4.Text <> ) THEN Next.Enabled := True;..IF (Serial5.Text <> ) THEN Next.Enabled := True;..IF (Name.Text = ) THEN Next.Enabled := False;..IF (Company.Text = ) THEN Next.Enabled := False;..IF (Serial1.Text = ) THEN Next.Enabled := False;..IF (Serial2.Text = ) THEN Next.Enabled := False;..IF (Serial3.Text = ) THEN Next.Enabled := False;..IF (Serial4.Text = ) THEN Next.Enabled := False;..IF (Serial5.Text = ) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THE
                                                          C:\Users\user\AppData\Local\Temp\mia1\setuptype.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33637
                                                          Entropy (8bit):3.431633511700928
                                                          Encrypted:false
                                                          SSDEEP:768:+YHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfQd:+YXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dp
                                                          MD5:0ED309FE577738BE9F9EC6E6D4630658
                                                          SHA1:3D22B4956C8DA2C4E91D99C590E165710915AEC3
                                                          SHA-256:D65D017C4E6F112F1959F6BBC50FDFF35348596BE68183A5570257A199EAC1A6
                                                          SHA-512:10E4E1D32E0A47196D18EAFA4FFF03C7F7D36F3AF37E1A0A3DCDE04ADEB3BBF2B3CE51A76D8236CE60AF63D813469BB20E28E997F10BB7986E39DF97B851BFC7
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Q...TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TLabel.Label4.Left.(.Top.H.Width.I..Height.!.AutoSize..Caption..Please select a setup type..WordWrap....TBevel.Bevel2.Left...Top.:.Width....Height...Shape..bsTopLine...TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................)..
                                                          C:\Users\user\AppData\Local\Temp\mia1\setuptype.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\startinstallation.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160094
                                                          Entropy (8bit):1.9356018985653418
                                                          Encrypted:false
                                                          SSDEEP:192:BrMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4C/DE+n5mW+y:BNI/SjJ
                                                          MD5:72FB03688EB1DC0BFB2EC47EFC219136
                                                          SHA1:4C05F9B7F93B9CAEFDFBDE71AEFA33662E30284B
                                                          SHA-256:CFEBA603367D7CE269E6806BEF49E135370CB4AE80EA575442DCE0833FDB991A
                                                          SHA-512:6FA85A87C2BB0ADC4F699557D5C56A7D714E3852B1531E8AE3516195BB4FED29E6278966192F6A5068D166938760F42E44F355AF0735B3291D1DEC01357E52C1
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Jq..TPF0.TfrmDesign.frmDesign.Left....Top.~.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8......................................
                                                          C:\Users\user\AppData\Local\Temp\mia1\startinstallation.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\startmenu.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33346
                                                          Entropy (8bit):3.385772495039534
                                                          Encrypted:false
                                                          SSDEEP:768:27HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibftPV:27XQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Di
                                                          MD5:79A6D4AC0D44492941DBF1BCF729FCE0
                                                          SHA1:B9A4351BA665D5F190FDCEAAC2F278214E402628
                                                          SHA-256:ED50635652C5E71DD4EE1FBEB5B64E312235D3215C519E2DA2966FF44C61745B
                                                          SHA-512:D0B8A675193F05FFB8A71624E67A0FB63BE6433C73798B675486F6D86181DDE52E1910E51A27E7A61932A0360E2236BE3493196497D9B7C198A8B8CE5F6C2808
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia1\startmenu.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):602
                                                          Entropy (8bit):4.858794405298382
                                                          Encrypted:false
                                                          SSDEEP:12:jOYMtgQeMtg1dsdrHEUxIsdrHExINIkU3lkimkU3MIkT:jXoe3GI1INI53ldm53MIk
                                                          MD5:5622CBE0342EA56DBEDDB3F036450AE9
                                                          SHA1:97D52E9CE2FE1BA92BA141BCC66D2ECC6EC93978
                                                          SHA-256:19878CE6F272ECDBE413786244A8476214F99445EBB85F307E92B07F2A4C8869
                                                          SHA-512:C1E7CB7493635D368FBB7DA741353C82CB389488E1D8C32CB769FADACE21BC27416E59D2A9525A8DAC1D69195679CE91120496E7A74BF44377E91D97267B231F
                                                          Malicious:false
                                                          Preview: IF (MenuGroup.Text <> ) THEN Next.Enabled := True;..IF (MenuGroup.Text = ) THEN Next.Enabled := False;..IF (ISNT.Caption = TRUE) THEN AllUsers.Enabled := True;..IF (ISNT.Caption <> TRUE) THEN AllUsers.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\welcome.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160013
                                                          Entropy (8bit):1.9309569759113825
                                                          Encrypted:false
                                                          SSDEEP:192:1vMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4CBH1qwWn5meN:1pI/V9d
                                                          MD5:90F5FF6EDDCCA361D3D359958A97D5A4
                                                          SHA1:85AF264588C053310154318DAB63F754584206D9
                                                          SHA-256:8A9CE30F887652B86334075B2E42E5B76F48075928CE56C53C4D23E375DD546F
                                                          SHA-512:D8A03D9E20292330E3736F178D1B6315CE88B3C623A89C527C5EA33999FD4395A1D98DC95F7632CE0AAD4D9853EA98F36CD641E36E5AA118FECE247ED24E5D43
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..p..TPF0.TfrmDesign.frmDesign.Left....Top.~.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8......................................
                                                          C:\Users\user\AppData\Local\Temp\mia1\welcome.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia1\wizard.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32251
                                                          Entropy (8bit):3.1896653509607855
                                                          Encrypted:false
                                                          SSDEEP:768:arHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfH:arXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5DI
                                                          MD5:8AA68DEE4B3D18226980261469A560ED
                                                          SHA1:E359A76C34D1F906690054A871C85DFA3A1C88A4
                                                          SHA-256:D2267023E1F38FA5E44AFDF55B6DD485E25F2F1A8EC82C9E93EB8F137F0FBA2F
                                                          SHA-512:6FC30F309A79C6A5661E6673B94258B0C1A240ED9934CB3D6A65C76CAAEDA032001A8F4C79416C76D9F278A0ADDFF595D04B1D60A0924363CEBB97311659CF6C
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..}..TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia1\wizard.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\Install Fonts EXE-PlugIn.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):76728
                                                          Entropy (8bit):6.254581045679638
                                                          Encrypted:false
                                                          SSDEEP:1536:edjdN2c6vBVoJFLVbRv4e1R42TtHT/tNzxU:edNmVGFp9B1TtHT/tNzu
                                                          MD5:980ABD131E4B45DC8ED554D3EE0C2044
                                                          SHA1:B6041667248E9AD0CED547B33C16BF1D8A495661
                                                          SHA-256:0D75323B0EEFE651374099234B718DA70FE3C160D62BD73B49579CB07C4DDE4B
                                                          SHA-512:0429B94DD0871CB8EDB02DDDDEF2E5D21D22B09D96DCB1CF937E35B2D085742CEBDF121591902FD0A686078F9F241C5551892D1BBFC15E2B094D39BEBA159C5A
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.yW...........!...2.....h...............................................`......O$.............................. ...x............@.......................P......................................................."...............................code...'........ .................. ..`.text...l....0.......$.............. ..`.rdata..............................@..@.data....R.......N..................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\mia2\LI-180_Installer.msi
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\mia2\componentstree.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33309
                                                          Entropy (8bit):3.3772470427001995
                                                          Encrypted:false
                                                          SSDEEP:768:pJHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfTE:phXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dt
                                                          MD5:F1BA2D0A20CF4290FCDB45B3CF54840C
                                                          SHA1:EC808EBC2563D3D00866BDE0AFF4059C3C995C03
                                                          SHA-256:F27A9B4D468632780547E3FC26A59993B3108A18CB096852A302577BFA4C6F2F
                                                          SHA-512:C4073CE6F58447B858901389D52BD479C888370CD6328499B516B9C919A728C4099F00DFA19005AC65BC986A79FF2A9A0E4CAAE9BCC0A5E3A72747696B4BC126
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia2\componentstree.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\destination.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33184
                                                          Entropy (8bit):3.358519824453405
                                                          Encrypted:false
                                                          SSDEEP:768:BxHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfh:BpXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Ds
                                                          MD5:C92448DB4098F4A3095C0BF94500D2D6
                                                          SHA1:D5F0AAA3C7E55B085D0D57C13499E07AF30354CF
                                                          SHA-256:799B7F02BA036F90052545DA51D2807A0CB65B657C36FB26113BDE086E40D929
                                                          SHA-512:830244E76DBD3CE333A540FB54470F99FC295FCF00CF2D2586FA28094B1A2EB0A5B98EAFBD82A78AD37635E5424FA84C428630B5D42E322E885A846CF0EEE5EE
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top.|.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia2\destination.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\finish.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):161230
                                                          Entropy (8bit):1.999222422314916
                                                          Encrypted:false
                                                          SSDEEP:192:tty+Dfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4CWNux1LAwpk:tbbI/T4+
                                                          MD5:F45B64FF519D1538DCC250AA3149AC4D
                                                          SHA1:CF1B58E06FAA1D7F7239C648E64CF4DE1A1CFDF2
                                                          SHA-256:15958250C4F342B9ABF75E7DAA1AA5BBD8366BA6D57B23E0A690FD0F2F703F72
                                                          SHA-512:ED61591FBE14B7A3ED798EFAA4D577BB0AD620AF0996DEA9E96A4A31E024C17F80B561133B97D08B1E41CF286F9B04214C0FF565D6A1DD59A9763E516B0D2410
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..u..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.DoubleBuffered..Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...GlassFrame.Bottom./.OldCreateOrder..Position..poDesigned.Touch.ParentTabletOptions..Touch.TabletOptions..toPressAndHold.toPenTapFeedback.toPenBarrelFeedback.toFlicks.toFlickFallbackKeys..PixelsPerInch.`.TextHeight....TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|
                                                          C:\Users\user\AppData\Local\Temp\mia2\finish.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1938
                                                          Entropy (8bit):5.044225786332962
                                                          Encrypted:false
                                                          SSDEEP:24:vuikSi+nfi0ZiFuEai/pZSruicvSi+pipUivuNsIi/pEaiDatfi/pTvSgREii/p5:v5ExAGVPbu1ZRMfkf3faWYxWqQch
                                                          MD5:A5066097B928A2A87318FF5D74084344
                                                          SHA1:7041B5D87E79ED362121DC5E29751960D6D8B1FA
                                                          SHA-256:418DA2B3B60D642FAB7C40E6366DC8CA53C8E4BFD761083EB3E2425682BBD0E4
                                                          SHA-512:DC8FC4841217FC503DD94060E1D151552022CDDCB115BE5F4317FF3C8686AACA2A6931A08EB5005B00D3DDA848D90236A2ADE1E4B98BCD4F6C01B6552F70BF63
                                                          Malicious:false
                                                          Preview: .IF (checkSuccess.Caption = COMPLETE) THEN textComplete.Visible := True;..IF (checkSuccess.Caption = REBOOT) THEN textReboot.Visible := True;..IF (checkSuccess.Caption = CANCEL) THEN textCancelled.Visible := True;..IF (checkSuccess.Caption = ERROR) THEN textError.Visible := True;..IF (checkSuccess.Caption = COMPLETE) THEN RunNow.Visible := True;..IF (checkRemove.Caption = TRUE) THEN textRemove.Visible := True;..IF (checkSuccess.Caption = REBOOT) THEN RebootNow.Visible := True;..IF (checkSuccess.Caption <> COMPLETE) THEN textComplete.Visible := False;..IF (checkSuccess.Caption <> REBOOT) THEN textReboot.Visible := False;..IF (checkSuccess.Caption <> CANCEL) THEN textCancelled.Visible := False;..IF (checkSuccess.Caption <> ERROR) THEN textError.Visible := False;..IF (checkSuccess.Caption <> COMPLETE) THEN RunNow.Visible := False;..IF (checkRemove.Caption <> TRUE) THEN textRemove.Visible := False;..IF (checkRemove.Caption = TRUE) THEN textComplete.Visible :=
                                                          C:\Users\user\AppData\Local\Temp\mia2\icon.ico
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:MS Windows icon resource - 6 icons, 256x256 withPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 128x128, 32 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):102009
                                                          Entropy (8bit):1.439058677460756
                                                          Encrypted:false
                                                          SSDEEP:96:8fWSNWlsTzOmH4xjpREoc6klrV1X7sAtkqN2Afw+80KsbLootu+43pKdBKKirUEI:zlC6Fx9REoc6UrV1LsAtkqzoB+45Kd0C
                                                          MD5:8669CAD499B2FDD623A2219DA0EDF9E2
                                                          SHA1:1D41EC18DD60166CD34DE34FED5B19E778F99590
                                                          SHA-256:E47079863E0FAC451B02DDA76171729FF8EAD992281E003ACE30BA73237575A8
                                                          SHA-512:0F3720C1C46EEE10018A627B7CBD36C1630A8A9B1A97C5BBDE93CF38038BA265A200D0867338E14DED554D7565DB29FC16C45698476022CEE4F660DE6F061DEC
                                                          Malicious:false
                                                          Preview: ............ .....f......... .(...q...@@.... .(B......00.... ..%...S.. .... .....iy........ .h........PNG........IHDR.............\r.f....IDATx...].me....Q.b...e...E.!.!..>...#.y.)v...*..Y.........g.,.uS....]..V.f.dIZ..b...}.s..........y.3...3....kM..................................p.=.'.....rte...>q.[:&._.......#.........9....q-.|0.isn.Y.g......I..........0.`.X.9b.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a...vl...1.....O..1...=.]a.O.Q;/..=..$.(L.X.wg.\...........e.t.U .@a.....9.J..d.v~.]..1....T.|^...7........y^>.{..L...$.E.Z.o.....h+....ED.t...S_.yyM.n...g.....?...[....$.(L..i.7G...jI`......1.......yi+.F.......zc...y^n.}(.D...$..2.......N..^.. ""..{z......md=..?.......y........I.....rtk....b[!..._.$0.g....qmWK.7..#.$0.......k.9.[..].g.f....s.>......l.x8.....}.I.P...}.z.......6..0.)""..{{....Z.o......G....$.(L....'
                                                          C:\Users\user\AppData\Local\Temp\mia2\installaware.png
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                          Category:dropped
                                                          Size (bytes):1597
                                                          Entropy (8bit):7.871063017224323
                                                          Encrypted:false
                                                          SSDEEP:24:X93kpZjQLmEcxtIwWXPAGpKpkZcks41xdrqUaBdJbYfxpJgx7YWg/uLwdCnq:N3Yj8mEcxywiPrpKpNMdr07SxgSt
                                                          MD5:B7225A16DAF9DE1D514AEFE567FDF2F5
                                                          SHA1:D6A00C526C425FCD5EF49B0C87814F2CF476CB59
                                                          SHA-256:0E2DEFC9B470D3F9BD184D254493EFAD94EA0273C1FE17FC8FC651D47B01734E
                                                          SHA-512:31412603AE87F2B9C9DAD2D0BA64868105586D1778846DE5F1C14667C4292DE36FC193B54670BDF130019B0B42AB59EEF2C2D8672226BA755181FEA894BD9246
                                                          Malicious:false
                                                          Preview: .PNG........IHDR... ... .....szz.....IDATx.W.L.W...!..dl.'.@.10.a.....2.T'.....SD..-PK@t.....:53.... :#F.......|"...L....6 m)Lw........9...K.+.b...z.x........=...J.V....n3[.B..v[m..../....o0.L....Q...&...$~?%%?PG..S<..]...$.Z......O.3".k....m]..2S9..4,.k+.xf..k.F...V..4[Ec'K.2.2..PK.....H$..H.....kA...M..>.zs.....^.*..K"...j..:..Hu.T..Q.....N...y'.+9.dR.{..Xn....w.f...R.KQB.]z........6>..,.......q.%........;.,......U{.i....Z.....)._I..7..J.q..d)...CM....;...,R~.B.S...E...p[-O........].F...%..A.%....{.%.*...]Q..>.-..f..C..i.Q..+5.......A'~.....J...M.mtN..0..r.>.@K.....D...<...CI^#.-.P.}?R..M.-.7..GS...Z^9s..<6.....>......<..g.~.9....{]Ju..}`..Z(..ikw^.,)X..g...|G.LQ9A^...9pe....7d.......SE.Q..../nx.}_..F...$..I..K...o4.^ ..e.X.Q.H......&........Q..............\n....J......./...7.....E.9.....$...K..!...c.`.=.Jd.nq.n.W.Q...Q.#s.w._.d....u...Q].-U.N.J..&.O..=......a+.k.....%.$..(.....@`...lx.......tDC..=.{...^"...@.....\{;#.^...G.q./AA.
                                                          C:\Users\user\AppData\Local\Temp\mia2\license.rtf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:Rich Text Format data, version 1, unknown character set
                                                          Category:dropped
                                                          Size (bytes):8029
                                                          Entropy (8bit):5.0787285797616715
                                                          Encrypted:false
                                                          SSDEEP:192:6RMfWBgsh5jrcRUjFZ6Adb+3eGl83ykMfUaFW7W9nK7dLf0gurZ+2:Yush5jICj6AdRGAD4W7W9K710N02
                                                          MD5:6017828D717690DD90F7AB6BBEA202F2
                                                          SHA1:C24165A9B87075A6E71E95E58E2EEEB9C932811F
                                                          SHA-256:29B4BFB1AA7BD6B23CD4CC14E23AA8A3E5D9A3C6AAB66E93BBD419B23115728B
                                                          SHA-512:F7605379EC384DB19928C9BFA5168DBE45C718E2E885CAA8A5A412BB5CBCA49091481FC7D29018A44A41A54093A3524A168E16FD4471291A327152AD7F4A13E6
                                                          Malicious:false
                                                          Preview: {\rtf1\fbidis\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fcharset136 Tahoma;}}..\viewkind4\uc1\pard\ltrpar\lang1028\f0\fs16 END USER LICENSE AGREEMENT \par..\par..\par..\lang1033 This copy of LI-180 Spectrometer("the Software Product") and accompanying documentation is licensed and not sold. This Software Product is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. LI-COR, Inc. or its subsidiaries, affiliates, and suppliers (collectively "LI-COR") own intellectual property rights in the Software Product. The Licensee's ("you" or "your") license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement ("Agreement"). \par..\par..Acceptance \par..\par..YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT BY SELECTING THE "ACCEPT" OPTION AND DOWNLOADING THE
                                                          C:\Users\user\AppData\Local\Temp\mia2\licensecheck.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32515
                                                          Entropy (8bit):3.2392237095249325
                                                          Encrypted:false
                                                          SSDEEP:768:j2HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfE:juXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5D1
                                                          MD5:9A87495839CA4357F293308C86139F03
                                                          SHA1:0529F4612D004BAA1FE8806F6EAD5E78B3E76E55
                                                          SHA-256:C623B82A8BE3EAD16900164C09AFEE00215DC1749A6DE8D4F381CF983A3F5CEB
                                                          SHA-512:75F64D527924764598066D157C406FD18A00FA59EAB8D418724EF7E87B8B718EF57595118284710A08B17D7C287723AAF5F06383F877ADF77EFF7F7573AD665E
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..~..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia2\licensecheck.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):502
                                                          Entropy (8bit):4.896842553280578
                                                          Encrypted:false
                                                          SSDEEP:6:aHi6GKuMtrk86i6euMtrkeuN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+J:0IMtgfjMtgxINIkU3lkimkU3MIkT
                                                          MD5:D312F2FDC09193A04578D688A2CA292D
                                                          SHA1:54BD3AA4CC72E68FC613A4227CADA7AD702D795E
                                                          SHA-256:DB1C3A93A00A46C77F3E8D19C5DA4D42C54CE58C9EB71B586E512ABEE2D46967
                                                          SHA-512:A71514B0F31010F7BF23954BCE707A277CA765BC14DDED7D7870615528A7751E4B26E72BB826781BC4F57C2A7C75FCFB92C4BA781AAD58372CF6CECE39832D19
                                                          Malicious:false
                                                          Preview: IF (LicenseCheck.Checked = True) THEN Next.Enabled := True;..IF (LicenseCheck.Checked = False) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\mDIFxEXE.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1305600
                                                          Entropy (8bit):6.66768345397406
                                                          Encrypted:false
                                                          SSDEEP:24576:yIAaJZ7NOcdUT4OELlCRmLrxB4Swz+hLnNlAj4HdH:HcWgYfxSSwz4A6
                                                          MD5:511629FCCFB6C536A8F6FCBF4AA06401
                                                          SHA1:6931DE3FB845AF6CD30348108A98767268EF6200
                                                          SHA-256:65AD010679A748A7174ABE1C314E0F1AE78E7BE69DEC22F0357536F21399C68C
                                                          SHA-512:D51248F81789E8E2DEFB7B59E551B3FF705C8D8BB098AC66E7A4C7C9AF48855544BA44D6256F02052B6D525753A645E7EA601F421A5918446A231775F89E081C
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................h......\..............Q....................................................................O....P...5...P...T..........................................................................Y..H.......^....................text....k.......l.................. ..`.itext.. ............p.............. ..`.data....L.......N..................@....bss....PS...............................idata...5...P...6..................@....didata.^...........................@....edata..O...........................@..@.rdata..............................@..@.reloc.............................@..B.rsrc....T...P...T..................@..@....................................@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1340928
                                                          Entropy (8bit):6.677299856016359
                                                          Encrypted:false
                                                          SSDEEP:24576:89mKmMTfYBbuMNX9PnKMHxXgrptvZzDMbxBqSwY1raig5CUd1t:89mn1buMNX9yChIGbxUSwr57d1t
                                                          MD5:57C34F9689A69BE0C1CD7F6FF3FDA546
                                                          SHA1:54F0D3CB9693D8937AA93301AC66D25CDEA9B628
                                                          SHA-256:2C2095721E9E7B3CA68D08D5F3D6E0528B8BCED9A45CEA638CF4B8212E9B139E
                                                          SHA-512:01C95F082FD71DAD1BC686F37B7CA06724936B2E02294147EEBE384910809ADC8D802D89016CFA423C1181D531CE6C8D0AF4C95F633D8AE8D6AAD3B10C842F4D
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................|............... .....Q.........................0....................................... ..O.......|9.......Z...................@...............0..................................................^....................text...\........................... ..`.itext..x........................... ..`.data....L... ...L..................@....bss.....S...p.......F...................idata..|9.......:...F..............@....didata.^...........................@....edata..O.... ......................@..@.rdata.......0......................@..@.reloc.......@......................@..B.rsrc....Z.......Z..................@..@.............0.......v..............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\mia2\maintenance.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160624
                                                          Entropy (8bit):1.9662006432706152
                                                          Encrypted:false
                                                          SSDEEP:192:tdMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4Cwtq69wWnUgK:tfI/kwAgK
                                                          MD5:B3C9C9EE0C9C2DCB15CF24D5DF20F4F3
                                                          SHA1:3B1660EB617CB2751D9CCC79B8C025BD5A7B153B
                                                          SHA-256:23D6D6041B3025A8B1817B5FC455067B534AD91DCB19A1D09509A3AE55065CED
                                                          SHA-512:93C5B855AF462D9772754CB46307F5890735F7476D8ECF0F9CF213BC3A32EB4E19E3C48842A68F9D1DD29EAF2A8A2EE4712E917AB05BC121C18BFA77E3250811
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.\s..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8.....................................
                                                          C:\Users\user\AppData\Local\Temp\mia2\maintenance.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\prereq.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32639
                                                          Entropy (8bit):3.2633511856005843
                                                          Encrypted:false
                                                          SSDEEP:768:scHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfi:scXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dp
                                                          MD5:3B989C7730DF816A13A88B722A25B021
                                                          SHA1:882F64912D28ED7C1EE1D59333E934CC73E1C50A
                                                          SHA-256:9E7054257B4D608BC16547468B0E6D4AA06B0A0CF467CF76CD7ED169979E0B2C
                                                          SHA-512:36E42A53E3F4956DD87DCBF6E36B43E9210B8A5195684228CCF7C465ECB7105505EAFF01F705B8B4D48631E21C02B443AB871D84415A1597FC4B52B22D18689F
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.k...TPF0.TfrmDesign.frmDesign.Left....Top.{.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia2\prereq.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):744
                                                          Entropy (8bit):4.963019277603885
                                                          Encrypted:false
                                                          SSDEEP:12:qITMDIb6UIJTc6S6juINIkU3lkimkU3MIkT:qIMIb6UIJA6SsuINI53ldm53MIk
                                                          MD5:172D6845744A1EC7DC233E9335C5A47C
                                                          SHA1:F0E3CB9C55F0F0961EF496D3EBF532943FB155E1
                                                          SHA-256:7AEF8EF0D965D2AEDDDF2FBC2B99BA2A3E5E96517BCD38ADB1A3315456D16E6F
                                                          SHA-512:639D0D336EA949B877E12A0DB026FC3D085F3DD2B25A7C5CDCC8850CCD998FCA4364BB18D167454AEDB763793E9D251E08A1A3A06A46117FF0B5B2AE22E06643
                                                          Malicious:false
                                                          Preview: IF (checkWINST.Caption <> TRUE) THEN WINST.Visible := True;..IF (checkJS.Caption <> TRUE) THEN JS.Visible := True;..IF (checkDotNET.Caption <> TRUE) THEN dotNET.Visible := True;..IF (checkWINST.Caption = TRUE) THEN WINST.Visible := False;..IF (checkDotNET.Caption = TRUE) THEN dotNET.Visible := False;..IF (checkJS.Caption = TRUE) THEN JS.Visible := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\progress.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):43482
                                                          Entropy (8bit):4.168440625869399
                                                          Encrypted:false
                                                          SSDEEP:768:3JHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfR:3hXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Da
                                                          MD5:5C0175D2688D0942C2616E689B52C5F9
                                                          SHA1:200FE3D32B6A593538F61E3D1AA2A860BC40A2EA
                                                          SHA-256:00FD246E8C2E5C79A0753C5BFD0D37A21C1CC0B272312C127E0775DB94669392
                                                          SHA-512:02440C85404465F8FD590BF6AA5FA4FF315A34B39A9B958C73B294AC139B6C6D9BAAC0CD26A769E62480C547A71F98ECB70D6BBDCA4390F4347DBBC80E780AB8
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia2\progress.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):666
                                                          Entropy (8bit):4.809149901341814
                                                          Encrypted:false
                                                          SSDEEP:6:a3jF2duukAiRcjjuukTDoRcjF2duukTDQTjjuukA6uN82du+wg4RBN82dukU3ekd:csIrqar1sIroarIINIkU3lkimkU3MIkT
                                                          MD5:03D007FB3FC47A2F8CA6EB2C13881052
                                                          SHA1:3212C3FB7FAA97630F849AD7EBA205D90EAC7EE3
                                                          SHA-256:692786FB6BF3363DFDD0CDA8013986F4F63FD9209DA6BD1299CC8CF06275DF89
                                                          SHA-512:A2193DFBB22D9F8EFB3CFFD8F2E4021A3213667F13F218EF1AA9B1DD2BF3044AF1E71CFB19497762A386B6CFB841C4C642C739A52471556ED7C3877907D6EA9E
                                                          Malicious:false
                                                          Preview: IF (TestRemove.Caption <> TRUE) THEN CaptionInstall.Visible := True;..IF (TestRemove.Caption = TRUE) THEN CaptionUninstall.Visible := True;..IF (TestRemove.Caption <> TRUE) THEN CaptionUninstall.Visible := False;..IF (TestRemove.Caption = TRUE) THEN CaptionInstall.Visible := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\progressprereq.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):43116
                                                          Entropy (8bit):4.127536230542945
                                                          Encrypted:false
                                                          SSDEEP:768:yUHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibf/D:y0XQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dm
                                                          MD5:AF75C73B31B45D4797A326367B1A696A
                                                          SHA1:B2795FAA612F4BFAEDF79EF0DDC6CC7E43FB5801
                                                          SHA-256:F5BD968E1580C2B47D800867A237D4F90CD7465E38219836E7792094354CBBD2
                                                          SHA-512:9073543CBF566EB031E6EF257A670BD59535B568F2D5C480A4D9DF9470586234226EB232F8A18D64322477502FB3AFB14B2422827647B69CFD8AFB2CFD75E490
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.X...TPF0.TfrmDesign.frmDesign.Left....Top.w.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia2\progressprereq.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\readme.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32365
                                                          Entropy (8bit):3.210637703795355
                                                          Encrypted:false
                                                          SSDEEP:768:F2HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfMR:FuXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dn
                                                          MD5:8DB37E945737A642476551E6EA537ED5
                                                          SHA1:2579ECFFD229F167398337358778E032AAAE3E3D
                                                          SHA-256:4221122F990055367BE3AF2CCD9A8A6A28E4E8A8889B74BD543C70E96FF63527
                                                          SHA-512:461CD4C6F01A82AC1C6D97968AF1B3CCD6E5D5D8C76C5CDD92822869335C379E8DD07A562DF787232D173588D9DCBC1E3071A5E5BE873D02DE6744BEE599AA92
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Y~..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia2\readme.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):502
                                                          Entropy (8bit):4.896842553280578
                                                          Encrypted:false
                                                          SSDEEP:6:aHi6GKuMtrk86i6euMtrkeuN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+J:0IMtgfjMtgxINIkU3lkimkU3MIkT
                                                          MD5:D312F2FDC09193A04578D688A2CA292D
                                                          SHA1:54BD3AA4CC72E68FC613A4227CADA7AD702D795E
                                                          SHA-256:DB1C3A93A00A46C77F3E8D19C5DA4D42C54CE58C9EB71B586E512ABEE2D46967
                                                          SHA-512:A71514B0F31010F7BF23954BCE707A277CA765BC14DDED7D7870615528A7751E4B26E72BB826781BC4F57C2A7C75FCFB92C4BA781AAD58372CF6CECE39832D19
                                                          Malicious:false
                                                          Preview: IF (LicenseCheck.Checked = True) THEN Next.Enabled := True;..IF (LicenseCheck.Checked = False) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\registration.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32609
                                                          Entropy (8bit):3.2576929890359447
                                                          Encrypted:false
                                                          SSDEEP:768:ewVHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfg:ewdXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5v
                                                          MD5:357DC1A87B637A95C2255C15ABDB9765
                                                          SHA1:B41DBE26DB3C8F489E32096535E7DF8AF5F7859C
                                                          SHA-256:005829185AC1A56337D40D515C7E8DA84B06A8E7B7487477DE521861248645D0
                                                          SHA-512:ABBBD816EDDE10AF7612ACCF8858434BD9C17443B92CD7E3966F44B2F624822EE123EAD2DA7F1EF686D76D13FE7C4923F1E3460E0681CB9C239462638D14F677
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.M...TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TLabel.Label5.Left.(.Top.H.Width.8.Height...Caption..&User Name:.FocusControl..Name...TLabel.Label6.Left.(.Top.x.Width.A.Height...Caption..&Organization:.FocusControl..Company...TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a......................................................
                                                          C:\Users\user\AppData\Local\Temp\mia2\registration.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):576
                                                          Entropy (8bit):4.8398488933566055
                                                          Encrypted:false
                                                          SSDEEP:12:+GYMtg+YMtgdmMtgpMtgxINIkU3lkimkU3MIkT:+ffFmB5INI53ldm53MIk
                                                          MD5:FF697C2FFA89894EC61F9ADF6839926E
                                                          SHA1:25CA863E1866D72D2AB76F76B15A7705F2C0CD12
                                                          SHA-256:C8FDC1180440954E7773ABFA450D153194FA675B8B2764F0300C00A73C989BAC
                                                          SHA-512:A67389FBA944DEA454F7D4559911F745ADE10A8B3B5ED57A6741546AA4EF77FC47017BC7711A586A19EDFA3825517D78BA46A841B0AB7291B6145EA9B0E63A76
                                                          Malicious:false
                                                          Preview: IF (Name.Text <> ) THEN Next.Enabled := True;..IF (Company.Text <> ) THEN Next.Enabled := True;..IF (Name.Text = ) THEN Next.Enabled := False;..IF (Company.Text = ) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\registrationwithserial.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33341
                                                          Entropy (8bit):3.3842477874818355
                                                          Encrypted:false
                                                          SSDEEP:768:JdHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfM4:JFXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dk
                                                          MD5:8616C794648FD69FAC8F0F88EDB22E4E
                                                          SHA1:DDDFECF6EA3719E9CEF5C406FD4D525AF7D74A61
                                                          SHA-256:7E5099588AC9EB46983021CFDFCDDDBEFEBFE4CBD8388A531EDAD35FC3DA842D
                                                          SHA-512:B1288B55785B0CA40F331AE92460F213A1C8D77037D5ABA6BBBD74882024ABDC8985E10899F4476CFF64D83F424957B11FD0B759B537E2216DB4E146B1CD09ED
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.)...TPF0.TfrmDesign.frmDesign.Left....Top.v.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia2\registrationwithserial.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1096
                                                          Entropy (8bit):4.80637071596533
                                                          Encrypted:false
                                                          SSDEEP:12:+GYMtg+YMtgPt0YMtgPrYMtgP0ZYMtgPpDYMtgPuYMtgdmMtgpMtg6tkMtg63Mtz:+ff7kkKSHFmBBApVeN5INI53ldm53MIk
                                                          MD5:E30F9BD0EB3C6A3372F67E0F8886E28C
                                                          SHA1:B390AAEDCE02E0A1A031506EE73C313221367BBF
                                                          SHA-256:905BBFEDE6E19926541295E4599A14169CDC21392388DAE0EE1974A5C827D608
                                                          SHA-512:CBDCA01D6A8E060307DA35E6F5F5F52D691F0245E285548454B391543680817783CB443046263BEF5BC3B7A774C503771403FC5B76069F02ADD8A72972CE67F8
                                                          Malicious:false
                                                          Preview: IF (Name.Text <> ) THEN Next.Enabled := True;..IF (Company.Text <> ) THEN Next.Enabled := True;..IF (Serial1.Text <> ) THEN Next.Enabled := True;..IF (Serial2.Text <> ) THEN Next.Enabled := True;..IF (Serial3.Text <> ) THEN Next.Enabled := True;..IF (Serial4.Text <> ) THEN Next.Enabled := True;..IF (Serial5.Text <> ) THEN Next.Enabled := True;..IF (Name.Text = ) THEN Next.Enabled := False;..IF (Company.Text = ) THEN Next.Enabled := False;..IF (Serial1.Text = ) THEN Next.Enabled := False;..IF (Serial2.Text = ) THEN Next.Enabled := False;..IF (Serial3.Text = ) THEN Next.Enabled := False;..IF (Serial4.Text = ) THEN Next.Enabled := False;..IF (Serial5.Text = ) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THE
                                                          C:\Users\user\AppData\Local\Temp\mia2\setuptype.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33637
                                                          Entropy (8bit):3.431633511700928
                                                          Encrypted:false
                                                          SSDEEP:768:+YHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfQd:+YXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dp
                                                          MD5:0ED309FE577738BE9F9EC6E6D4630658
                                                          SHA1:3D22B4956C8DA2C4E91D99C590E165710915AEC3
                                                          SHA-256:D65D017C4E6F112F1959F6BBC50FDFF35348596BE68183A5570257A199EAC1A6
                                                          SHA-512:10E4E1D32E0A47196D18EAFA4FFF03C7F7D36F3AF37E1A0A3DCDE04ADEB3BBF2B3CE51A76D8236CE60AF63D813469BB20E28E997F10BB7986E39DF97B851BFC7
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Q...TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TLabel.Label4.Left.(.Top.H.Width.I..Height.!.AutoSize..Caption..Please select a setup type..WordWrap....TBevel.Bevel2.Left...Top.:.Width....Height...Shape..bsTopLine...TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................)..
                                                          C:\Users\user\AppData\Local\Temp\mia2\setuptype.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\startinstallation.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160094
                                                          Entropy (8bit):1.9356018985653418
                                                          Encrypted:false
                                                          SSDEEP:192:BrMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4C/DE+n5mW+y:BNI/SjJ
                                                          MD5:72FB03688EB1DC0BFB2EC47EFC219136
                                                          SHA1:4C05F9B7F93B9CAEFDFBDE71AEFA33662E30284B
                                                          SHA-256:CFEBA603367D7CE269E6806BEF49E135370CB4AE80EA575442DCE0833FDB991A
                                                          SHA-512:6FA85A87C2BB0ADC4F699557D5C56A7D714E3852B1531E8AE3516195BB4FED29E6278966192F6A5068D166938760F42E44F355AF0735B3291D1DEC01357E52C1
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Jq..TPF0.TfrmDesign.frmDesign.Left....Top.~.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8......................................
                                                          C:\Users\user\AppData\Local\Temp\mia2\startinstallation.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\startmenu.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33346
                                                          Entropy (8bit):3.385772495039534
                                                          Encrypted:false
                                                          SSDEEP:768:27HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibftPV:27XQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Di
                                                          MD5:79A6D4AC0D44492941DBF1BCF729FCE0
                                                          SHA1:B9A4351BA665D5F190FDCEAAC2F278214E402628
                                                          SHA-256:ED50635652C5E71DD4EE1FBEB5B64E312235D3215C519E2DA2966FF44C61745B
                                                          SHA-512:D0B8A675193F05FFB8A71624E67A0FB63BE6433C73798B675486F6D86181DDE52E1910E51A27E7A61932A0360E2236BE3493196497D9B7C198A8B8CE5F6C2808
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia2\startmenu.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):602
                                                          Entropy (8bit):4.858794405298382
                                                          Encrypted:false
                                                          SSDEEP:12:jOYMtgQeMtg1dsdrHEUxIsdrHExINIkU3lkimkU3MIkT:jXoe3GI1INI53ldm53MIk
                                                          MD5:5622CBE0342EA56DBEDDB3F036450AE9
                                                          SHA1:97D52E9CE2FE1BA92BA141BCC66D2ECC6EC93978
                                                          SHA-256:19878CE6F272ECDBE413786244A8476214F99445EBB85F307E92B07F2A4C8869
                                                          SHA-512:C1E7CB7493635D368FBB7DA741353C82CB389488E1D8C32CB769FADACE21BC27416E59D2A9525A8DAC1D69195679CE91120496E7A74BF44377E91D97267B231F
                                                          Malicious:false
                                                          Preview: IF (MenuGroup.Text <> ) THEN Next.Enabled := True;..IF (MenuGroup.Text = ) THEN Next.Enabled := False;..IF (ISNT.Caption = TRUE) THEN AllUsers.Enabled := True;..IF (ISNT.Caption <> TRUE) THEN AllUsers.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\welcome.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160013
                                                          Entropy (8bit):1.9309569759113825
                                                          Encrypted:false
                                                          SSDEEP:192:1vMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4CBH1qwWn5meN:1pI/V9d
                                                          MD5:90F5FF6EDDCCA361D3D359958A97D5A4
                                                          SHA1:85AF264588C053310154318DAB63F754584206D9
                                                          SHA-256:8A9CE30F887652B86334075B2E42E5B76F48075928CE56C53C4D23E375DD546F
                                                          SHA-512:D8A03D9E20292330E3736F178D1B6315CE88B3C623A89C527C5EA33999FD4395A1D98DC95F7632CE0AAD4D9853EA98F36CD641E36E5AA118FECE247ED24E5D43
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..p..TPF0.TfrmDesign.frmDesign.Left....Top.~.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8......................................
                                                          C:\Users\user\AppData\Local\Temp\mia2\welcome.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia2\wizard.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32251
                                                          Entropy (8bit):3.1896653509607855
                                                          Encrypted:false
                                                          SSDEEP:768:arHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfH:arXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5DI
                                                          MD5:8AA68DEE4B3D18226980261469A560ED
                                                          SHA1:E359A76C34D1F906690054A871C85DFA3A1C88A4
                                                          SHA-256:D2267023E1F38FA5E44AFDF55B6DD485E25F2F1A8EC82C9E93EB8F137F0FBA2F
                                                          SHA-512:6FC30F309A79C6A5661E6673B94258B0C1A240ED9934CB3D6A65C76CAAEDA032001A8F4C79416C76D9F278A0ADDFF595D04B1D60A0924363CEBB97311659CF6C
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..}..TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia2\wizard.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\Install Fonts EXE-PlugIn.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):76728
                                                          Entropy (8bit):6.254581045679638
                                                          Encrypted:false
                                                          SSDEEP:1536:edjdN2c6vBVoJFLVbRv4e1R42TtHT/tNzxU:edNmVGFp9B1TtHT/tNzu
                                                          MD5:980ABD131E4B45DC8ED554D3EE0C2044
                                                          SHA1:B6041667248E9AD0CED547B33C16BF1D8A495661
                                                          SHA-256:0D75323B0EEFE651374099234B718DA70FE3C160D62BD73B49579CB07C4DDE4B
                                                          SHA-512:0429B94DD0871CB8EDB02DDDDEF2E5D21D22B09D96DCB1CF937E35B2D085742CEBDF121591902FD0A686078F9F241C5551892D1BBFC15E2B094D39BEBA159C5A
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.yW...........!...2.....h...............................................`......O$.............................. ...x............@.......................P......................................................."...............................code...'........ .................. ..`.text...l....0.......$.............. ..`.rdata..............................@..@.data....R.......N..................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\mia3\LI-180_Installer.msi
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:0
                                                          Category:dropped
                                                          Size (bytes):798720
                                                          Entropy (8bit):6.23248504194283
                                                          Encrypted:false
                                                          SSDEEP:12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
                                                          MD5:2B7F717CA3147788D37977F204C309F3
                                                          SHA1:801DADC3079409E409B3C16AE1366278AECDD6C6
                                                          SHA-256:828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
                                                          SHA-512:A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
                                                          Malicious:false
                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\mia3\componentstree.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33309
                                                          Entropy (8bit):3.3772470427001995
                                                          Encrypted:false
                                                          SSDEEP:768:pJHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfTE:phXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dt
                                                          MD5:F1BA2D0A20CF4290FCDB45B3CF54840C
                                                          SHA1:EC808EBC2563D3D00866BDE0AFF4059C3C995C03
                                                          SHA-256:F27A9B4D468632780547E3FC26A59993B3108A18CB096852A302577BFA4C6F2F
                                                          SHA-512:C4073CE6F58447B858901389D52BD479C888370CD6328499B516B9C919A728C4099F00DFA19005AC65BC986A79FF2A9A0E4CAAE9BCC0A5E3A72747696B4BC126
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia3\componentstree.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\destination.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33184
                                                          Entropy (8bit):3.358519824453405
                                                          Encrypted:false
                                                          SSDEEP:768:BxHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfh:BpXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Ds
                                                          MD5:C92448DB4098F4A3095C0BF94500D2D6
                                                          SHA1:D5F0AAA3C7E55B085D0D57C13499E07AF30354CF
                                                          SHA-256:799B7F02BA036F90052545DA51D2807A0CB65B657C36FB26113BDE086E40D929
                                                          SHA-512:830244E76DBD3CE333A540FB54470F99FC295FCF00CF2D2586FA28094B1A2EB0A5B98EAFBD82A78AD37635E5424FA84C428630B5D42E322E885A846CF0EEE5EE
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top.|.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia3\destination.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\finish.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):161230
                                                          Entropy (8bit):1.999222422314916
                                                          Encrypted:false
                                                          SSDEEP:192:tty+Dfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4CWNux1LAwpk:tbbI/T4+
                                                          MD5:F45B64FF519D1538DCC250AA3149AC4D
                                                          SHA1:CF1B58E06FAA1D7F7239C648E64CF4DE1A1CFDF2
                                                          SHA-256:15958250C4F342B9ABF75E7DAA1AA5BBD8366BA6D57B23E0A690FD0F2F703F72
                                                          SHA-512:ED61591FBE14B7A3ED798EFAA4D577BB0AD620AF0996DEA9E96A4A31E024C17F80B561133B97D08B1E41CF286F9B04214C0FF565D6A1DD59A9763E516B0D2410
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..u..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.DoubleBuffered..Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...GlassFrame.Bottom./.OldCreateOrder..Position..poDesigned.Touch.ParentTabletOptions..Touch.TabletOptions..toPressAndHold.toPenTapFeedback.toPenBarrelFeedback.toFlicks.toFlickFallbackKeys..PixelsPerInch.`.TextHeight....TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|
                                                          C:\Users\user\AppData\Local\Temp\mia3\finish.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1938
                                                          Entropy (8bit):5.044225786332962
                                                          Encrypted:false
                                                          SSDEEP:24:vuikSi+nfi0ZiFuEai/pZSruicvSi+pipUivuNsIi/pEaiDatfi/pTvSgREii/p5:v5ExAGVPbu1ZRMfkf3faWYxWqQch
                                                          MD5:A5066097B928A2A87318FF5D74084344
                                                          SHA1:7041B5D87E79ED362121DC5E29751960D6D8B1FA
                                                          SHA-256:418DA2B3B60D642FAB7C40E6366DC8CA53C8E4BFD761083EB3E2425682BBD0E4
                                                          SHA-512:DC8FC4841217FC503DD94060E1D151552022CDDCB115BE5F4317FF3C8686AACA2A6931A08EB5005B00D3DDA848D90236A2ADE1E4B98BCD4F6C01B6552F70BF63
                                                          Malicious:false
                                                          Preview: .IF (checkSuccess.Caption = COMPLETE) THEN textComplete.Visible := True;..IF (checkSuccess.Caption = REBOOT) THEN textReboot.Visible := True;..IF (checkSuccess.Caption = CANCEL) THEN textCancelled.Visible := True;..IF (checkSuccess.Caption = ERROR) THEN textError.Visible := True;..IF (checkSuccess.Caption = COMPLETE) THEN RunNow.Visible := True;..IF (checkRemove.Caption = TRUE) THEN textRemove.Visible := True;..IF (checkSuccess.Caption = REBOOT) THEN RebootNow.Visible := True;..IF (checkSuccess.Caption <> COMPLETE) THEN textComplete.Visible := False;..IF (checkSuccess.Caption <> REBOOT) THEN textReboot.Visible := False;..IF (checkSuccess.Caption <> CANCEL) THEN textCancelled.Visible := False;..IF (checkSuccess.Caption <> ERROR) THEN textError.Visible := False;..IF (checkSuccess.Caption <> COMPLETE) THEN RunNow.Visible := False;..IF (checkRemove.Caption <> TRUE) THEN textRemove.Visible := False;..IF (checkRemove.Caption = TRUE) THEN textComplete.Visible :=
                                                          C:\Users\user\AppData\Local\Temp\mia3\icon.ico
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:MS Windows icon resource - 6 icons, 256x256 withPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 128x128, 32 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):102009
                                                          Entropy (8bit):1.439058677460756
                                                          Encrypted:false
                                                          SSDEEP:96:8fWSNWlsTzOmH4xjpREoc6klrV1X7sAtkqN2Afw+80KsbLootu+43pKdBKKirUEI:zlC6Fx9REoc6UrV1LsAtkqzoB+45Kd0C
                                                          MD5:8669CAD499B2FDD623A2219DA0EDF9E2
                                                          SHA1:1D41EC18DD60166CD34DE34FED5B19E778F99590
                                                          SHA-256:E47079863E0FAC451B02DDA76171729FF8EAD992281E003ACE30BA73237575A8
                                                          SHA-512:0F3720C1C46EEE10018A627B7CBD36C1630A8A9B1A97C5BBDE93CF38038BA265A200D0867338E14DED554D7565DB29FC16C45698476022CEE4F660DE6F061DEC
                                                          Malicious:false
                                                          Preview: ............ .....f......... .(...q...@@.... .(B......00.... ..%...S.. .... .....iy........ .h........PNG........IHDR.............\r.f....IDATx...].me....Q.b...e...E.!.!..>...#.y.)v...*..Y.........g.,.uS....]..V.f.dIZ..b...}.s..........y.3...3....kM..................................p.=.'.....rte...>q.[:&._.......#.........9....q-.|0.isn.Y.g......I..........0.`.X.9b.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a...vl...1.....O..1...=.]a.O.Q;/..=..$.(L.X.wg.\...........e.t.U .@a.....9.J..d.v~.]..1....T.|^...7........y^>.{..L...$.E.Z.o.....h+....ED.t...S_.yyM.n...g.....?...[....$.(L..i.7G...jI`......1.......yi+.F.......zc...y^n.}(.D...$..2.......N..^.. ""..{z......md=..?.......y........I.....rtk....b[!..._.$0.g....qmWK.7..#.$0.......k.9.[..].g.f....s.>......l.x8.....}.I.P...}.z.......6..0.)""..{{....Z.o......G....$.(L....'
                                                          C:\Users\user\AppData\Local\Temp\mia3\installaware.png
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                          Category:dropped
                                                          Size (bytes):1597
                                                          Entropy (8bit):7.871063017224323
                                                          Encrypted:false
                                                          SSDEEP:24:X93kpZjQLmEcxtIwWXPAGpKpkZcks41xdrqUaBdJbYfxpJgx7YWg/uLwdCnq:N3Yj8mEcxywiPrpKpNMdr07SxgSt
                                                          MD5:B7225A16DAF9DE1D514AEFE567FDF2F5
                                                          SHA1:D6A00C526C425FCD5EF49B0C87814F2CF476CB59
                                                          SHA-256:0E2DEFC9B470D3F9BD184D254493EFAD94EA0273C1FE17FC8FC651D47B01734E
                                                          SHA-512:31412603AE87F2B9C9DAD2D0BA64868105586D1778846DE5F1C14667C4292DE36FC193B54670BDF130019B0B42AB59EEF2C2D8672226BA755181FEA894BD9246
                                                          Malicious:false
                                                          Preview: .PNG........IHDR... ... .....szz.....IDATx.W.L.W...!..dl.'.@.10.a.....2.T'.....SD..-PK@t.....:53.... :#F.......|"...L....6 m)Lw........9...K.+.b...z.x........=...J.V....n3[.B..v[m..../....o0.L....Q...&...$~?%%?PG..S<..]...$.Z......O.3".k....m]..2S9..4,.k+.xf..k.F...V..4[Ec'K.2.2..PK.....H$..H.....kA...M..>.zs.....^.*..K"...j..:..Hu.T..Q.....N...y'.+9.dR.{..Xn....w.f...R.KQB.]z........6>..,.......q.%........;.,......U{.i....Z.....)._I..7..J.q..d)...CM....;...,R~.B.S...E...p[-O........].F...%..A.%....{.%.*...]Q..>.-..f..C..i.Q..+5.......A'~.....J...M.mtN..0..r.>.@K.....D...<...CI^#.-.P.}?R..M.-.7..GS...Z^9s..<6.....>......<..g.~.9....{]Ju..}`..Z(..ikw^.,)X..g...|G.LQ9A^...9pe....7d.......SE.Q..../nx.}_..F...$..I..K...o4.^ ..e.X.Q.H......&........Q..............\n....J......./...7.....E.9.....$...K..!...c.`.=.Jd.nq.n.W.Q...Q.#s.w._.d....u...Q].-U.N.J..&.O..=......a+.k.....%.$..(.....@`...lx.......tDC..=.{...^"...@.....\{;#.^...G.q./AA.
                                                          C:\Users\user\AppData\Local\Temp\mia3\license.rtf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:Rich Text Format data, version 1, unknown character set
                                                          Category:dropped
                                                          Size (bytes):8029
                                                          Entropy (8bit):5.0787285797616715
                                                          Encrypted:false
                                                          SSDEEP:192:6RMfWBgsh5jrcRUjFZ6Adb+3eGl83ykMfUaFW7W9nK7dLf0gurZ+2:Yush5jICj6AdRGAD4W7W9K710N02
                                                          MD5:6017828D717690DD90F7AB6BBEA202F2
                                                          SHA1:C24165A9B87075A6E71E95E58E2EEEB9C932811F
                                                          SHA-256:29B4BFB1AA7BD6B23CD4CC14E23AA8A3E5D9A3C6AAB66E93BBD419B23115728B
                                                          SHA-512:F7605379EC384DB19928C9BFA5168DBE45C718E2E885CAA8A5A412BB5CBCA49091481FC7D29018A44A41A54093A3524A168E16FD4471291A327152AD7F4A13E6
                                                          Malicious:false
                                                          Preview: {\rtf1\fbidis\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fcharset136 Tahoma;}}..\viewkind4\uc1\pard\ltrpar\lang1028\f0\fs16 END USER LICENSE AGREEMENT \par..\par..\par..\lang1033 This copy of LI-180 Spectrometer("the Software Product") and accompanying documentation is licensed and not sold. This Software Product is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. LI-COR, Inc. or its subsidiaries, affiliates, and suppliers (collectively "LI-COR") own intellectual property rights in the Software Product. The Licensee's ("you" or "your") license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement ("Agreement"). \par..\par..Acceptance \par..\par..YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT BY SELECTING THE "ACCEPT" OPTION AND DOWNLOADING THE
                                                          C:\Users\user\AppData\Local\Temp\mia3\licensecheck.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32515
                                                          Entropy (8bit):3.2392237095249325
                                                          Encrypted:false
                                                          SSDEEP:768:j2HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfE:juXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5D1
                                                          MD5:9A87495839CA4357F293308C86139F03
                                                          SHA1:0529F4612D004BAA1FE8806F6EAD5E78B3E76E55
                                                          SHA-256:C623B82A8BE3EAD16900164C09AFEE00215DC1749A6DE8D4F381CF983A3F5CEB
                                                          SHA-512:75F64D527924764598066D157C406FD18A00FA59EAB8D418724EF7E87B8B718EF57595118284710A08B17D7C287723AAF5F06383F877ADF77EFF7F7573AD665E
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..~..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia3\licensecheck.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):502
                                                          Entropy (8bit):4.896842553280578
                                                          Encrypted:false
                                                          SSDEEP:6:aHi6GKuMtrk86i6euMtrkeuN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+J:0IMtgfjMtgxINIkU3lkimkU3MIkT
                                                          MD5:D312F2FDC09193A04578D688A2CA292D
                                                          SHA1:54BD3AA4CC72E68FC613A4227CADA7AD702D795E
                                                          SHA-256:DB1C3A93A00A46C77F3E8D19C5DA4D42C54CE58C9EB71B586E512ABEE2D46967
                                                          SHA-512:A71514B0F31010F7BF23954BCE707A277CA765BC14DDED7D7870615528A7751E4B26E72BB826781BC4F57C2A7C75FCFB92C4BA781AAD58372CF6CECE39832D19
                                                          Malicious:false
                                                          Preview: IF (LicenseCheck.Checked = True) THEN Next.Enabled := True;..IF (LicenseCheck.Checked = False) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\mDIFxEXE.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1305600
                                                          Entropy (8bit):6.66768345397406
                                                          Encrypted:false
                                                          SSDEEP:24576:yIAaJZ7NOcdUT4OELlCRmLrxB4Swz+hLnNlAj4HdH:HcWgYfxSSwz4A6
                                                          MD5:511629FCCFB6C536A8F6FCBF4AA06401
                                                          SHA1:6931DE3FB845AF6CD30348108A98767268EF6200
                                                          SHA-256:65AD010679A748A7174ABE1C314E0F1AE78E7BE69DEC22F0357536F21399C68C
                                                          SHA-512:D51248F81789E8E2DEFB7B59E551B3FF705C8D8BB098AC66E7A4C7C9AF48855544BA44D6256F02052B6D525753A645E7EA601F421A5918446A231775F89E081C
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................h......\..............Q....................................................................O....P...5...P...T..........................................................................Y..H.......^....................text....k.......l.................. ..`.itext.. ............p.............. ..`.data....L.......N..................@....bss....PS...............................idata...5...P...6..................@....didata.^...........................@....edata..O...........................@..@.rdata..............................@..@.reloc.............................@..B.rsrc....T...P...T..................@..@....................................@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\mia3\mMSIExec.dll
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1340928
                                                          Entropy (8bit):6.677299856016359
                                                          Encrypted:false
                                                          SSDEEP:24576:89mKmMTfYBbuMNX9PnKMHxXgrptvZzDMbxBqSwY1raig5CUd1t:89mn1buMNX9yChIGbxUSwr57d1t
                                                          MD5:57C34F9689A69BE0C1CD7F6FF3FDA546
                                                          SHA1:54F0D3CB9693D8937AA93301AC66D25CDEA9B628
                                                          SHA-256:2C2095721E9E7B3CA68D08D5F3D6E0528B8BCED9A45CEA638CF4B8212E9B139E
                                                          SHA-512:01C95F082FD71DAD1BC686F37B7CA06724936B2E02294147EEBE384910809ADC8D802D89016CFA423C1181D531CE6C8D0AF4C95F633D8AE8D6AAD3B10C842F4D
                                                          Malicious:false
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................|............... .....Q.........................0....................................... ..O.......|9.......Z...................@...............0..................................................^....................text...\........................... ..`.itext..x........................... ..`.data....L... ...L..................@....bss.....S...p.......F...................idata..|9.......:...F..............@....didata.^...........................@....edata..O.... ......................@..@.rdata.......0......................@..@.reloc.......@......................@..B.rsrc....Z.......Z..................@..@.............0.......v..............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\mia3\maintenance.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160624
                                                          Entropy (8bit):1.9662006432706152
                                                          Encrypted:false
                                                          SSDEEP:192:tdMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4Cwtq69wWnUgK:tfI/kwAgK
                                                          MD5:B3C9C9EE0C9C2DCB15CF24D5DF20F4F3
                                                          SHA1:3B1660EB617CB2751D9CCC79B8C025BD5A7B153B
                                                          SHA-256:23D6D6041B3025A8B1817B5FC455067B534AD91DCB19A1D09509A3AE55065CED
                                                          SHA-512:93C5B855AF462D9772754CB46307F5890735F7476D8ECF0F9CF213BC3A32EB4E19E3C48842A68F9D1DD29EAF2A8A2EE4712E917AB05BC121C18BFA77E3250811
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.\s..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8.....................................
                                                          C:\Users\user\AppData\Local\Temp\mia3\maintenance.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\prereq.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32639
                                                          Entropy (8bit):3.2633511856005843
                                                          Encrypted:false
                                                          SSDEEP:768:scHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfi:scXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dp
                                                          MD5:3B989C7730DF816A13A88B722A25B021
                                                          SHA1:882F64912D28ED7C1EE1D59333E934CC73E1C50A
                                                          SHA-256:9E7054257B4D608BC16547468B0E6D4AA06B0A0CF467CF76CD7ED169979E0B2C
                                                          SHA-512:36E42A53E3F4956DD87DCBF6E36B43E9210B8A5195684228CCF7C465ECB7105505EAFF01F705B8B4D48631E21C02B443AB871D84415A1597FC4B52B22D18689F
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.k...TPF0.TfrmDesign.frmDesign.Left....Top.{.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia3\prereq.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):744
                                                          Entropy (8bit):4.963019277603885
                                                          Encrypted:false
                                                          SSDEEP:12:qITMDIb6UIJTc6S6juINIkU3lkimkU3MIkT:qIMIb6UIJA6SsuINI53ldm53MIk
                                                          MD5:172D6845744A1EC7DC233E9335C5A47C
                                                          SHA1:F0E3CB9C55F0F0961EF496D3EBF532943FB155E1
                                                          SHA-256:7AEF8EF0D965D2AEDDDF2FBC2B99BA2A3E5E96517BCD38ADB1A3315456D16E6F
                                                          SHA-512:639D0D336EA949B877E12A0DB026FC3D085F3DD2B25A7C5CDCC8850CCD998FCA4364BB18D167454AEDB763793E9D251E08A1A3A06A46117FF0B5B2AE22E06643
                                                          Malicious:false
                                                          Preview: IF (checkWINST.Caption <> TRUE) THEN WINST.Visible := True;..IF (checkJS.Caption <> TRUE) THEN JS.Visible := True;..IF (checkDotNET.Caption <> TRUE) THEN dotNET.Visible := True;..IF (checkWINST.Caption = TRUE) THEN WINST.Visible := False;..IF (checkDotNET.Caption = TRUE) THEN dotNET.Visible := False;..IF (checkJS.Caption = TRUE) THEN JS.Visible := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\progress.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):43482
                                                          Entropy (8bit):4.168440625869399
                                                          Encrypted:false
                                                          SSDEEP:768:3JHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfR:3hXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Da
                                                          MD5:5C0175D2688D0942C2616E689B52C5F9
                                                          SHA1:200FE3D32B6A593538F61E3D1AA2A860BC40A2EA
                                                          SHA-256:00FD246E8C2E5C79A0753C5BFD0D37A21C1CC0B272312C127E0775DB94669392
                                                          SHA-512:02440C85404465F8FD590BF6AA5FA4FF315A34B39A9B958C73B294AC139B6C6D9BAAC0CD26A769E62480C547A71F98ECB70D6BBDCA4390F4347DBBC80E780AB8
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia3\progress.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):666
                                                          Entropy (8bit):4.809149901341814
                                                          Encrypted:false
                                                          SSDEEP:6:a3jF2duukAiRcjjuukTDoRcjF2duukTDQTjjuukA6uN82du+wg4RBN82dukU3ekd:csIrqar1sIroarIINIkU3lkimkU3MIkT
                                                          MD5:03D007FB3FC47A2F8CA6EB2C13881052
                                                          SHA1:3212C3FB7FAA97630F849AD7EBA205D90EAC7EE3
                                                          SHA-256:692786FB6BF3363DFDD0CDA8013986F4F63FD9209DA6BD1299CC8CF06275DF89
                                                          SHA-512:A2193DFBB22D9F8EFB3CFFD8F2E4021A3213667F13F218EF1AA9B1DD2BF3044AF1E71CFB19497762A386B6CFB841C4C642C739A52471556ED7C3877907D6EA9E
                                                          Malicious:false
                                                          Preview: IF (TestRemove.Caption <> TRUE) THEN CaptionInstall.Visible := True;..IF (TestRemove.Caption = TRUE) THEN CaptionUninstall.Visible := True;..IF (TestRemove.Caption <> TRUE) THEN CaptionUninstall.Visible := False;..IF (TestRemove.Caption = TRUE) THEN CaptionInstall.Visible := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\progressprereq.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):43116
                                                          Entropy (8bit):4.127536230542945
                                                          Encrypted:false
                                                          SSDEEP:768:yUHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibf/D:y0XQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dm
                                                          MD5:AF75C73B31B45D4797A326367B1A696A
                                                          SHA1:B2795FAA612F4BFAEDF79EF0DDC6CC7E43FB5801
                                                          SHA-256:F5BD968E1580C2B47D800867A237D4F90CD7465E38219836E7792094354CBBD2
                                                          SHA-512:9073543CBF566EB031E6EF257A670BD59535B568F2D5C480A4D9DF9470586234226EB232F8A18D64322477502FB3AFB14B2422827647B69CFD8AFB2CFD75E490
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.X...TPF0.TfrmDesign.frmDesign.Left....Top.w.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia3\progressprereq.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\readme.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32365
                                                          Entropy (8bit):3.210637703795355
                                                          Encrypted:false
                                                          SSDEEP:768:F2HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfMR:FuXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dn
                                                          MD5:8DB37E945737A642476551E6EA537ED5
                                                          SHA1:2579ECFFD229F167398337358778E032AAAE3E3D
                                                          SHA-256:4221122F990055367BE3AF2CCD9A8A6A28E4E8A8889B74BD543C70E96FF63527
                                                          SHA-512:461CD4C6F01A82AC1C6D97968AF1B3CCD6E5D5D8C76C5CDD92822869335C379E8DD07A562DF787232D173588D9DCBC1E3071A5E5BE873D02DE6744BEE599AA92
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Y~..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..
                                                          C:\Users\user\AppData\Local\Temp\mia3\readme.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):502
                                                          Entropy (8bit):4.896842553280578
                                                          Encrypted:false
                                                          SSDEEP:6:aHi6GKuMtrk86i6euMtrkeuN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+J:0IMtgfjMtgxINIkU3lkimkU3MIkT
                                                          MD5:D312F2FDC09193A04578D688A2CA292D
                                                          SHA1:54BD3AA4CC72E68FC613A4227CADA7AD702D795E
                                                          SHA-256:DB1C3A93A00A46C77F3E8D19C5DA4D42C54CE58C9EB71B586E512ABEE2D46967
                                                          SHA-512:A71514B0F31010F7BF23954BCE707A277CA765BC14DDED7D7870615528A7751E4B26E72BB826781BC4F57C2A7C75FCFB92C4BA781AAD58372CF6CECE39832D19
                                                          Malicious:false
                                                          Preview: IF (LicenseCheck.Checked = True) THEN Next.Enabled := True;..IF (LicenseCheck.Checked = False) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\registration.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32609
                                                          Entropy (8bit):3.2576929890359447
                                                          Encrypted:false
                                                          SSDEEP:768:ewVHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfg:ewdXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5v
                                                          MD5:357DC1A87B637A95C2255C15ABDB9765
                                                          SHA1:B41DBE26DB3C8F489E32096535E7DF8AF5F7859C
                                                          SHA-256:005829185AC1A56337D40D515C7E8DA84B06A8E7B7487477DE521861248645D0
                                                          SHA-512:ABBBD816EDDE10AF7612ACCF8858434BD9C17443B92CD7E3966F44B2F624822EE123EAD2DA7F1EF686D76D13FE7C4923F1E3460E0681CB9C239462638D14F677
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.M...TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TLabel.Label5.Left.(.Top.H.Width.8.Height...Caption..&User Name:.FocusControl..Name...TLabel.Label6.Left.(.Top.x.Width.A.Height...Caption..&Organization:.FocusControl..Company...TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a......................................................
                                                          C:\Users\user\AppData\Local\Temp\mia3\registration.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):576
                                                          Entropy (8bit):4.8398488933566055
                                                          Encrypted:false
                                                          SSDEEP:12:+GYMtg+YMtgdmMtgpMtgxINIkU3lkimkU3MIkT:+ffFmB5INI53ldm53MIk
                                                          MD5:FF697C2FFA89894EC61F9ADF6839926E
                                                          SHA1:25CA863E1866D72D2AB76F76B15A7705F2C0CD12
                                                          SHA-256:C8FDC1180440954E7773ABFA450D153194FA675B8B2764F0300C00A73C989BAC
                                                          SHA-512:A67389FBA944DEA454F7D4559911F745ADE10A8B3B5ED57A6741546AA4EF77FC47017BC7711A586A19EDFA3825517D78BA46A841B0AB7291B6145EA9B0E63A76
                                                          Malicious:false
                                                          Preview: IF (Name.Text <> ) THEN Next.Enabled := True;..IF (Company.Text <> ) THEN Next.Enabled := True;..IF (Name.Text = ) THEN Next.Enabled := False;..IF (Company.Text = ) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\registrationwithserial.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33341
                                                          Entropy (8bit):3.3842477874818355
                                                          Encrypted:false
                                                          SSDEEP:768:JdHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfM4:JFXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dk
                                                          MD5:8616C794648FD69FAC8F0F88EDB22E4E
                                                          SHA1:DDDFECF6EA3719E9CEF5C406FD4D525AF7D74A61
                                                          SHA-256:7E5099588AC9EB46983021CFDFCDDDBEFEBFE4CBD8388A531EDAD35FC3DA842D
                                                          SHA-512:B1288B55785B0CA40F331AE92460F213A1C8D77037D5ABA6BBBD74882024ABDC8985E10899F4476CFF64D83F424957B11FD0B759B537E2216DB4E146B1CD09ED
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.)...TPF0.TfrmDesign.frmDesign.Left....Top.v.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia3\registrationwithserial.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1096
                                                          Entropy (8bit):4.80637071596533
                                                          Encrypted:false
                                                          SSDEEP:12:+GYMtg+YMtgPt0YMtgPrYMtgP0ZYMtgPpDYMtgPuYMtgdmMtgpMtg6tkMtg63Mtz:+ff7kkKSHFmBBApVeN5INI53ldm53MIk
                                                          MD5:E30F9BD0EB3C6A3372F67E0F8886E28C
                                                          SHA1:B390AAEDCE02E0A1A031506EE73C313221367BBF
                                                          SHA-256:905BBFEDE6E19926541295E4599A14169CDC21392388DAE0EE1974A5C827D608
                                                          SHA-512:CBDCA01D6A8E060307DA35E6F5F5F52D691F0245E285548454B391543680817783CB443046263BEF5BC3B7A774C503771403FC5B76069F02ADD8A72972CE67F8
                                                          Malicious:false
                                                          Preview: IF (Name.Text <> ) THEN Next.Enabled := True;..IF (Company.Text <> ) THEN Next.Enabled := True;..IF (Serial1.Text <> ) THEN Next.Enabled := True;..IF (Serial2.Text <> ) THEN Next.Enabled := True;..IF (Serial3.Text <> ) THEN Next.Enabled := True;..IF (Serial4.Text <> ) THEN Next.Enabled := True;..IF (Serial5.Text <> ) THEN Next.Enabled := True;..IF (Name.Text = ) THEN Next.Enabled := False;..IF (Company.Text = ) THEN Next.Enabled := False;..IF (Serial1.Text = ) THEN Next.Enabled := False;..IF (Serial2.Text = ) THEN Next.Enabled := False;..IF (Serial3.Text = ) THEN Next.Enabled := False;..IF (Serial4.Text = ) THEN Next.Enabled := False;..IF (Serial5.Text = ) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THE
                                                          C:\Users\user\AppData\Local\Temp\mia3\setuptype.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33637
                                                          Entropy (8bit):3.431633511700928
                                                          Encrypted:false
                                                          SSDEEP:768:+YHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfQd:+YXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dp
                                                          MD5:0ED309FE577738BE9F9EC6E6D4630658
                                                          SHA1:3D22B4956C8DA2C4E91D99C590E165710915AEC3
                                                          SHA-256:D65D017C4E6F112F1959F6BBC50FDFF35348596BE68183A5570257A199EAC1A6
                                                          SHA-512:10E4E1D32E0A47196D18EAFA4FFF03C7F7D36F3AF37E1A0A3DCDE04ADEB3BBF2B3CE51A76D8236CE60AF63D813469BB20E28E997F10BB7986E39DF97B851BFC7
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Q...TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TLabel.Label4.Left.(.Top.H.Width.I..Height.!.AutoSize..Caption..Please select a setup type..WordWrap....TBevel.Bevel2.Left...Top.:.Width....Height...Shape..bsTopLine...TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................)..
                                                          C:\Users\user\AppData\Local\Temp\mia3\setuptype.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\startinstallation.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160094
                                                          Entropy (8bit):1.9356018985653418
                                                          Encrypted:false
                                                          SSDEEP:192:BrMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4C/DE+n5mW+y:BNI/SjJ
                                                          MD5:72FB03688EB1DC0BFB2EC47EFC219136
                                                          SHA1:4C05F9B7F93B9CAEFDFBDE71AEFA33662E30284B
                                                          SHA-256:CFEBA603367D7CE269E6806BEF49E135370CB4AE80EA575442DCE0833FDB991A
                                                          SHA-512:6FA85A87C2BB0ADC4F699557D5C56A7D714E3852B1531E8AE3516195BB4FED29E6278966192F6A5068D166938760F42E44F355AF0735B3291D1DEC01357E52C1
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.Jq..TPF0.TfrmDesign.frmDesign.Left....Top.~.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8......................................
                                                          C:\Users\user\AppData\Local\Temp\mia3\startinstallation.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\startmenu.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33346
                                                          Entropy (8bit):3.385772495039534
                                                          Encrypted:false
                                                          SSDEEP:768:27HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibftPV:27XQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Di
                                                          MD5:79A6D4AC0D44492941DBF1BCF729FCE0
                                                          SHA1:B9A4351BA665D5F190FDCEAAC2F278214E402628
                                                          SHA-256:ED50635652C5E71DD4EE1FBEB5B64E312235D3215C519E2DA2966FF44C61745B
                                                          SHA-512:D0B8A675193F05FFB8A71624E67A0FB63BE6433C73798B675486F6D86181DDE52E1910E51A27E7A61932A0360E2236BE3493196497D9B7C198A8B8CE5F6C2808
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia3\startmenu.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):602
                                                          Entropy (8bit):4.858794405298382
                                                          Encrypted:false
                                                          SSDEEP:12:jOYMtgQeMtg1dsdrHEUxIsdrHExINIkU3lkimkU3MIkT:jXoe3GI1INI53ldm53MIk
                                                          MD5:5622CBE0342EA56DBEDDB3F036450AE9
                                                          SHA1:97D52E9CE2FE1BA92BA141BCC66D2ECC6EC93978
                                                          SHA-256:19878CE6F272ECDBE413786244A8476214F99445EBB85F307E92B07F2A4C8869
                                                          SHA-512:C1E7CB7493635D368FBB7DA741353C82CB389488E1D8C32CB769FADACE21BC27416E59D2A9525A8DAC1D69195679CE91120496E7A74BF44377E91D97267B231F
                                                          Malicious:false
                                                          Preview: IF (MenuGroup.Text <> ) THEN Next.Enabled := True;..IF (MenuGroup.Text = ) THEN Next.Enabled := False;..IF (ISNT.Caption = TRUE) THEN AllUsers.Enabled := True;..IF (ISNT.Caption <> TRUE) THEN AllUsers.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\welcome.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):160013
                                                          Entropy (8bit):1.9309569759113825
                                                          Encrypted:false
                                                          SSDEEP:192:1vMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4CBH1qwWn5meN:1pI/V9d
                                                          MD5:90F5FF6EDDCCA361D3D359958A97D5A4
                                                          SHA1:85AF264588C053310154318DAB63F754584206D9
                                                          SHA-256:8A9CE30F887652B86334075B2E42E5B76F48075928CE56C53C4D23E375DD546F
                                                          SHA-512:D8A03D9E20292330E3736F178D1B6315CE88B3C623A89C527C5EA33999FD4395A1D98DC95F7632CE0AAD4D9853EA98F36CD641E36E5AA118FECE247ED24E5D43
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..p..TPF0.TfrmDesign.frmDesign.Left....Top.~.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP*.tP).sR..{W..}Y*.vU2.|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...|...r...z...q...w...|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8......................................
                                                          C:\Users\user\AppData\Local\Temp\mia3\welcome.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\mia3\wizard.dfm
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32251
                                                          Entropy (8bit):3.1896653509607855
                                                          Encrypted:false
                                                          SSDEEP:768:arHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfH:arXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5DI
                                                          MD5:8AA68DEE4B3D18226980261469A560ED
                                                          SHA1:E359A76C34D1F906690054A871C85DFA3A1C88A4
                                                          SHA-256:D2267023E1F38FA5E44AFDF55B6DD485E25F2F1A8EC82C9E93EB8F137F0FBA2F
                                                          SHA-512:6FC30F309A79C6A5661E6673B94258B0C1A240ED9934CB3D6A65C76CAAEDA032001A8F4C79416C76D9F278A0ADDFF595D04B1D60A0924363CEBB97311659CF6C
                                                          Malicious:false
                                                          Preview: ...TFRMDESIGN.0..}..TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.|\9..P...W...^..._...e...c...i...l...s...{...y...z...|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(..*..-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...
                                                          C:\Users\user\AppData\Local\Temp\mia3\wizard.dfm.miaf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):374
                                                          Entropy (8bit):4.773773154848379
                                                          Encrypted:false
                                                          SSDEEP:6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
                                                          MD5:8101E0CC3186C05F85B2CD484D26AE9D
                                                          SHA1:B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
                                                          SHA-256:A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
                                                          SHA-512:DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
                                                          Malicious:false
                                                          Preview: IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..
                                                          C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\SET2959.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8981
                                                          Entropy (8bit):6.952810377972559
                                                          Encrypted:false
                                                          SSDEEP:192:6IKsjkeBneIyCNECwnVhjeyveCtAW5LfsxhQ8tsU:1KskI/w/jpvjAGLa3t/
                                                          MD5:FC43EB094C0074FCD29ADC9A742371D9
                                                          SHA1:21EA184EB636E45550BD6A18CDAF08AE19DDD776
                                                          SHA-256:993B957EB5EAC489092B25A51473CE9B4BC49835673999BC4A95440318194D8A
                                                          SHA-512:6A1ACB42C8A6A18E956431F62A89E3BFCC3484683C2934358ACA50D3FCB42D7FD244625C39D78B4983050BE26B9C5114AB53E41DB429B56BC336D33A2B4B3380
                                                          Malicious:false
                                                          Preview: 0.#...*.H........#.0."....1.0...+......0.....+.....7......0...0...+.....7.......D9.NN..........110131175223Z0...+.....7.....0...0....R1.8.A.8.0.D.E.0.C.F.D.5.2.1.0.E.9.A.3.2.5.C.7.2.B.1.2.4.0.B.4.4.2.F.B.4.F.4.2.2...1..c0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..............!..2\r.$.D/.."0....R3.0.2.3.5.5.2.1.E.B.3.1.4.1.4.6.B.1.F.D.7.1.B.6.7.F.3.C.E.7.D.9.2.0.E.2.6.6.8.D...1..[0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........0#U!.1AF..q..<.. .f.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.
                                                          C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\SET295A.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):5.224754517663399
                                                          Encrypted:false
                                                          SSDEEP:48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
                                                          MD5:BC384072A8A9F073B51EF98ACF303D5B
                                                          SHA1:30235521EB314146B1FD71B67F3CE7D920E2668D
                                                          SHA-256:0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
                                                          SHA-512:7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
                                                          Malicious:false
                                                          Preview: ; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]
                                                          C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET295B.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):24576
                                                          Entropy (8bit):5.444427923348303
                                                          Encrypted:false
                                                          SSDEEP:384:8JZ8/zig4KI5XHhdq4Jrd6T0ZUi/WP0m1g5TkgCGDZaV55K6Z0MFVIZnJ96FkU6X:vBM53ZJrdJUi/WP31d/Gdo5KgLcnJkzg
                                                          MD5:971FA2980AB94A90B6A9A8385267E653
                                                          SHA1:FC739185177A85ED04B71C6A8D5FDFB72D919306
                                                          SHA-256:25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
                                                          SHA-512:6D905EC5FCEE1F8ED2870AF0714A6C630DE3E8D8611406486ADDA08ECFC1873BD57932ED73F42EF93E4F49D40FCED13CA5C1C99795E8C0CECBBE6B56327E1337
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uc.uc.uc.ub.uc.....uc.....uc....uc....uc.....uc....uc....uc....uc....uc.Rich.uc.................PE..d....?L.........."......B..........d................................................-..........................................................(.......0.......................8...@q...............................................p..@............................text....".......$.................. ..hpage.........@.......(.............. ..hinit.........`.......>.............. ..h.rdata.......p.......@..............@..H.data................D..............@....pdata...............H..............@..H.edata...............L..............@..@INIT....b............T.............. ....rsrc...0............Z..............@..B.reloc...............^..............@..B........................................................................................
                                                          C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET298B.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):19456
                                                          Entropy (8bit):5.5838184446755195
                                                          Encrypted:false
                                                          SSDEEP:192:2fW3/zOHLiVaL/qqPhh0m1ooaJOz6CXPaxEL+GIn0alGalILp/JSUJj6jLfJv19U:2fW3LOHLdLCI0m1Xz3fW01alInS1LFv
                                                          MD5:CEDF7CFFCCD03451FD22DBAAC2E3DE8E
                                                          SHA1:3FD8383608DB769A1E2C8E0C1302C315DCA8B37E
                                                          SHA-256:A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
                                                          SHA-512:BBA0BF8C75E5A1B1AFC72F5B5A33CACA721DBB4589DE7B3430398AE147E2E2CF18A15932DF62D32423B1093453B55B48B9E99FB7549135E3CF33976229C47376
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#d..g..g..g..n}w.e..g..B......b......e..n}g.d..n}q.f......f..n}n.b..n}p.f..n}u.f..Richg..........PE..d...A.?L.........."......:..........d...........................................................................................................P.......8...........................@a...............................................`..@............................text............................... ..hpage.........0...................... ..hinit....U....P.......6.............. ..h.rdata.......`.......8..............@..H.data...0....p.......>..............@....pdata...............@..............@..HINIT.................B.............. ....rsrc...8............H..............@..B................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\{4963F2A4-325D-4774-8D8D-86D68B3EE27C}
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):10061
                                                          Entropy (8bit):5.451096169524831
                                                          Encrypted:false
                                                          SSDEEP:192:sMadrMX8XTN9lMcjk4SUjwSf40tfOunL6L0FgAjXiYdXALgrnZ3depS7:uNz9nmL0FgeG8rnZ3dMS7
                                                          MD5:37D94109BFD03F3AA836AC15A839400B
                                                          SHA1:06557A9C32B900E542E0FE9D20983F6394BB4E4D
                                                          SHA-256:0B78A694A0AC3D9F5DE03D993EFF7699EDEDB4A6C19ED957FA55CB302D6840E3
                                                          SHA-512:758BBB75BBB254634E345FF7893E9968D1F4CE12DFE4E1C49620C65EF6AF1D7602959D7DC59BB0673B8E82F6BDEBF19BB7ADC40396097E271EE15A78C0FB3B13
                                                          Malicious:false
                                                          Preview: SourceDir..C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\..$ex..MEDIAPACKAGEPATH..\Users\user\AppData\Local\Temp\7zS7952.tmp\..$ex..A4BEB53A4..FALSE..$ex..AD35647E..FALSE..$ex..A9702C767..FALSE..$ex..A194AAD59..FALSE..$ex..AEA1BA5D5..FALSE..$ex..ADC702C7E..FALSE..$ex..AB7ED429E..FALSE..$ex..A453607F8..FALSE..$ex..AC3C84A4C..FALSE..$ex..A353AD105..FALSE..$ex..A2E5DCE8F..FALSE..$ex..AA3F0088A..FALSE..$ex..A51845961..FALSE..$ex..A55E6A65E..FALSE..$ex..A67ACD331..FALSE..$ex..A36706E48..FALSE..$ex..A3575565E..FALSE..$ex..AF4ED2515..FALSE..$ex..AECC34BEC..FALSE..$ex..A587D056C..FALSE..$ex..AE5444EFD..FALSE..$ex..A9847A14B..FALSE..$ex..AD532E401..FALSE..$ex..AC9AB7ACB..FALSE..$ex..A8C4586D2..FALSE..$ex..AE379E83C..FALSE..$ex..AAD9FE403..FALSE..$ex..A44DB77AB..FALSE..$ex..AFC8C594..FALSE..$ex..AD83B2FF9..FALSE..$ex..A774E815E..FALSE..$ex..ADAA0442..FALSE..$ex..A655FCA3B..FALSE..$ex..A1EA7FD63..FALSE..$ex..A609B42C1..FALSE..$ex..A409F08AF..FALSE..$ex..AF28C57DF..FALSE..$ex..A7021623..FALS
                                                          C:\Windows\DPINST.LOG
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):1802
                                                          Entropy (8bit):3.6734071681612677
                                                          Encrypted:false
                                                          SSDEEP:24:FMdlLVkQpFL6Lwz4gY6bA07u8LwzWZ/lZz8W/LL7i9:F8lZBX6Lwz4gY697bLwzWTd8WTL29
                                                          MD5:2CFB57A088CE6F38F161FE2B9C86B9EE
                                                          SHA1:0E36DF998C1369F64D145038EA8EEBB3F536A113
                                                          SHA-256:D61D908DEBE81B9042BABDDB875990D09D18CD0CCC9BE32B6DD1D64D984261F5
                                                          SHA-512:0F5379AE24211FD0E5A1DE410DB80106948FB1520484FEFD33CC1CB06981C2797C0F1157A255198DC0E0B2BC3BCB5CEE0F83BED879A12EF59A0C2C29BEC75C70
                                                          Malicious:false
                                                          Preview: I.N.F.O.:. . . .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....I.N.F.O.:. . . .0.2./.2.5./.2.0.2.1. .2.1.:.5.5.:.2.5.....I.N.F.O.:. . . .P.r.o.d.u.c.t. .V.e.r.s.i.o.n. .2...1...0...0.......I.N.F.O.:. . . .V.e.r.s.i.o.n.:. .6...2...9.2.0.0. .....I.N.F.O.:. . . .P.l.a.t.f.o.r.m. .I.D.:. .2. .(.N.T.).....I.N.F.O.:. . . .S.e.r.v.i.c.e. .P.a.c.k.:. .0...0.....I.N.F.O.:. . . .S.u.i.t.e.:. .0.x.0.1.0.0.,. .P.r.o.d.u.c.t. .T.y.p.e.:. .1.....I.N.F.O.:. . . .A.r.c.h.i.t.e.c.t.u.r.e.:. .X.8.6.......I.N.F.O.:. . . .I.n.t.e.r.a.c.t.i.v.e. .W.i.n.d.o.w.s. .S.t.a.t.i.o.n.....I.N.F.O.:. . . .C.o.m.m.a.n.d. .L.i.n.e.:. .'.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.7.z.S.6.4.E.0...t.m.p.\.d.a.t.a.\.L.I.-.C.O.R.~.1.\.m.D.I.F.x.I.D.E...d.l.l.\.x.8.6.D.P.I.n.s.t...e.x.e. ./.S.W. ./.S.E. ./.E.L. ./.P.A.T.H. .C.:.\.P.R.O.G.R.A.~.2.\.\.L.I.-.1.8.0.~.1.\.D.r.i.v.e.r.\. ./.D. ./.S.A. ./.L.M. ./.F.'.....I.N.F.O.:. . . .D.P.I.n.s.t. .i.s. .n.o.t. .m.u.
                                                          C:\Windows\Fonts\mdd_0.ttf
                                                          Process:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          File Type:TrueType Font data, 15 tables, 1st "OS/2", name offset 0x30a0dc
                                                          Category:dropped
                                                          Size (bytes):3189464
                                                          Entropy (8bit):5.995760690515092
                                                          Encrypted:false
                                                          SSDEEP:49152:aKGJGTV0L61KRCn7GvLkNrxCQ4Skrrlh67iPFfR:XGJGR0L3k7AhrrltR
                                                          MD5:134EA9D05DB33ADF680B8440F715CCF9
                                                          SHA1:3122FD8759ACB7562A98F6349EF0E2E46A018895
                                                          SHA-256:70F760EE31BB569EC53E33B44A699643898DC8C65B3034E370953AFD1E63964D
                                                          SHA-512:C512C3F68EB90C5A6D78D2F00559A42CE492131F0CC6B18A5483B57E906793EFAFD25785F0836483214333AA9E77960DD6C6F32FC8292178644FC9E4D2B91A9B
                                                          Malicious:false
                                                          Preview: ...........pOS/2...4...x...`cmap.:.....\..r cvt ............fpgm.!Y....|....gasp.....0......glyf4..>...$.*.head.h.........6hhea...m...4...$hmtx............kern>.B..0......loca(..h........maxp.......X... name.*.^.0......post.....0..... prep...)...................._.<.................."m................................+.................................'........./.............................$.......z...>................).|.........1ASC.@.............D............... .....K.........C...E...g...................:...M...M...........@...R...E...`...........................................E...E...............m...........................~...........W...E.......~...........................................................N...`...N.......i.....1.........w...........T...........B...B.......B.......................f...t...W.......{...........}...q...[.....=.[.......E.......|.....&.U...R.......n.......U...U.....1.....E...5...U...Z...............m...................................................B..
                                                          C:\Windows\INF\oem3.inf
                                                          Process:C:\Windows\System32\drvinst.exe
                                                          File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):5.224754517663399
                                                          Encrypted:false
                                                          SSDEEP:48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
                                                          MD5:BC384072A8A9F073B51EF98ACF303D5B
                                                          SHA1:30235521EB314146B1FD71B67F3CE7D920E2668D
                                                          SHA-256:0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
                                                          SHA-512:7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
                                                          Malicious:false
                                                          Preview: ; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]
                                                          C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SET2CF3.tmp
                                                          Process:C:\Windows\System32\drvinst.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8981
                                                          Entropy (8bit):6.952810377972559
                                                          Encrypted:false
                                                          SSDEEP:192:6IKsjkeBneIyCNECwnVhjeyveCtAW5LfsxhQ8tsU:1KskI/w/jpvjAGLa3t/
                                                          MD5:FC43EB094C0074FCD29ADC9A742371D9
                                                          SHA1:21EA184EB636E45550BD6A18CDAF08AE19DDD776
                                                          SHA-256:993B957EB5EAC489092B25A51473CE9B4BC49835673999BC4A95440318194D8A
                                                          SHA-512:6A1ACB42C8A6A18E956431F62A89E3BFCC3484683C2934358ACA50D3FCB42D7FD244625C39D78B4983050BE26B9C5114AB53E41DB429B56BC336D33A2B4B3380
                                                          Malicious:false
                                                          Preview: 0.#...*.H........#.0."....1.0...+......0.....+.....7......0...0...+.....7.......D9.NN..........110131175223Z0...+.....7.....0...0....R1.8.A.8.0.D.E.0.C.F.D.5.2.1.0.E.9.A.3.2.5.C.7.2.B.1.2.4.0.B.4.4.2.F.B.4.F.4.2.2...1..c0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..............!..2\r.$.D/.."0....R3.0.2.3.5.5.2.1.E.B.3.1.4.1.4.6.B.1.F.D.7.1.B.6.7.F.3.C.E.7.D.9.2.0.E.2.6.6.8.D...1..[0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........0#U!.1AF..q..<.. .f.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.
                                                          C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SET2D32.tmp
                                                          Process:C:\Windows\System32\drvinst.exe
                                                          File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):5.224754517663399
                                                          Encrypted:false
                                                          SSDEEP:48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
                                                          MD5:BC384072A8A9F073B51EF98ACF303D5B
                                                          SHA1:30235521EB314146B1FD71B67F3CE7D920E2668D
                                                          SHA-256:0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
                                                          SHA-512:7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
                                                          Malicious:false
                                                          Preview: ; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]
                                                          C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmp
                                                          Process:C:\Windows\System32\drvinst.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):24576
                                                          Entropy (8bit):5.444427923348303
                                                          Encrypted:false
                                                          SSDEEP:384:8JZ8/zig4KI5XHhdq4Jrd6T0ZUi/WP0m1g5TkgCGDZaV55K6Z0MFVIZnJ96FkU6X:vBM53ZJrdJUi/WP31d/Gdo5KgLcnJkzg
                                                          MD5:971FA2980AB94A90B6A9A8385267E653
                                                          SHA1:FC739185177A85ED04B71C6A8D5FDFB72D919306
                                                          SHA-256:25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
                                                          SHA-512:6D905EC5FCEE1F8ED2870AF0714A6C630DE3E8D8611406486ADDA08ECFC1873BD57932ED73F42EF93E4F49D40FCED13CA5C1C99795E8C0CECBBE6B56327E1337
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uc.uc.uc.ub.uc.....uc.....uc....uc....uc.....uc....uc....uc....uc....uc.Rich.uc.................PE..d....?L.........."......B..........d................................................-..........................................................(.......0.......................8...@q...............................................p..@............................text....".......$.................. ..hpage.........@.......(.............. ..hinit.........`.......>.............. ..h.rdata.......p.......@..............@..H.data................D..............@....pdata...............H..............@..H.edata...............L..............@..@INIT....b............T.............. ....rsrc...0............Z..............@..B.reloc...............^..............@..B........................................................................................
                                                          C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmp
                                                          Process:C:\Windows\System32\drvinst.exe
                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):19456
                                                          Entropy (8bit):5.5838184446755195
                                                          Encrypted:false
                                                          SSDEEP:192:2fW3/zOHLiVaL/qqPhh0m1ooaJOz6CXPaxEL+GIn0alGalILp/JSUJj6jLfJv19U:2fW3LOHLdLCI0m1Xz3fW01alInS1LFv
                                                          MD5:CEDF7CFFCCD03451FD22DBAAC2E3DE8E
                                                          SHA1:3FD8383608DB769A1E2C8E0C1302C315DCA8B37E
                                                          SHA-256:A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
                                                          SHA-512:BBA0BF8C75E5A1B1AFC72F5B5A33CACA721DBB4589DE7B3430398AE147E2E2CF18A15932DF62D32423B1093453B55B48B9E99FB7549135E3CF33976229C47376
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#d..g..g..g..n}w.e..g..B......b......e..n}g.d..n}q.f......f..n}n.b..n}p.f..n}u.f..Richg..........PE..d...A.?L.........."......:..........d...........................................................................................................P.......8...........................@a...............................................`..@............................text............................... ..hpage.........0...................... ..hinit....U....P.......6.............. ..h.rdata.......`.......8..............@..H.data...0....p.......>..............@....pdata...............@..............@..HINIT.................B.............. ....rsrc...8............H..............@..B................................................................................................................................................................................
                                                          C:\Windows\System32\catroot2\dberr.txt
                                                          Process:C:\Windows\System32\drvinst.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):75
                                                          Entropy (8bit):4.86378140456328
                                                          Encrypted:false
                                                          SSDEEP:3:WfmIFPPVXGbQB3G3VW3yEA:Y/n9Sc93y1
                                                          MD5:CFBEF25B6E15BBDAD974D72ABC694A68
                                                          SHA1:24E4F97B27B3B3F11CA0D18B1BFAABBD91CD926C
                                                          SHA-256:3D16F547CA40954565833059CE078E12A607387164B450272EA5FA4B98B0CDEC
                                                          SHA-512:44E650CFFF4EEAA05864FFC0BB4318EC365A3794048BEC4109E49891A51761EFFEB864B8A3FE504D86435964407BFC073027AA74EF1A8B2EF7E8C253B29F80A3
                                                          Malicious:false
                                                          Preview: CatalogDB: 9:54:42 PM 2/25/2021: DONE Adding Catalog File (0ms): oem3.cat..

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.977568734954625
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:LI180_win-1.5.1.exe
                                                          File size:10630347
                                                          MD5:77d64242fbd270b5363d383b51075783
                                                          SHA1:4c23d1f71ff19b5c046d8b1d750104a386f184f9
                                                          SHA256:a48f199141b10a4d425fd128ac0bdfca75ec98741a3eacff11a67a3bbc4bde01
                                                          SHA512:245442075f013f57171a1ca3ecc78c4660d9664ccb08512eabf86fe7baad4be60aaf48d05ca05fed67fd7b90feee930a4e55686ab678497b77b047f29c884449
                                                          SSDEEP:196608:u+VXiW5e/8+X7MCatgKFp1ibzHYOaIyU/9tY3UZ8O7dBlf+QxnyU2GHlWVuP+qDC:u+VSW5e/J7MNtCbzDagFtYkZ82dTf3ne
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................)......./.........&.....?.......8.......(.......-.....Rich....................PE..L.....wR...................

                                                          File Icon

                                                          Icon Hash:309270f8b296cc00

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4181dd
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x527716D3 [Mon Nov 4 03:38:59 2013 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:0
                                                          File Version Major:5
                                                          File Version Minor:0
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:0
                                                          Import Hash:d7ce6dd95e3ebd47f39cf25197cd96e8

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F9E1C8AE1AFh
                                                          jmp 00007F9E1C8AA14Dh
                                                          push 0000000Ch
                                                          push 0042A4F8h
                                                          call 00007F9E1C8A9C4Eh
                                                          push 0000000Eh
                                                          call 00007F9E1C8ABF82h
                                                          pop ecx
                                                          and dword ptr [ebp-04h], 00000000h
                                                          mov esi, dword ptr [ebp+08h]
                                                          mov ecx, dword ptr [esi+04h]
                                                          test ecx, ecx
                                                          je 00007F9E1C8AA301h
                                                          mov eax, dword ptr [004306C4h]
                                                          mov edx, 004306C0h
                                                          mov dword ptr [ebp-1Ch], eax
                                                          test eax, eax
                                                          je 00007F9E1C8AA2E3h
                                                          cmp dword ptr [eax], ecx
                                                          jne 00007F9E1C8AA2FEh
                                                          mov ecx, dword ptr [eax+04h]
                                                          mov dword ptr [edx+04h], ecx
                                                          push eax
                                                          call 00007F9E1C8A9589h
                                                          pop ecx
                                                          push dword ptr [esi+04h]
                                                          call 00007F9E1C8A9580h
                                                          pop ecx
                                                          and dword ptr [esi+04h], 00000000h
                                                          mov dword ptr [ebp-04h], FFFFFFFEh
                                                          call 00007F9E1C8AA2DFh
                                                          call 00007F9E1C8A9C3Dh
                                                          ret
                                                          mov edx, eax
                                                          jmp 00007F9E1C8AA297h
                                                          push 0000000Eh
                                                          call 00007F9E1C8ABE4Dh
                                                          pop ecx
                                                          ret
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          mov edx, dword ptr [esp+04h]
                                                          mov ecx, dword ptr [esp+08h]
                                                          test edx, 00000003h
                                                          jne 00007F9E1C8AA30Eh
                                                          mov eax, dword ptr [edx]
                                                          cmp al, byte ptr [ecx]
                                                          jne 00007F9E1C8AA300h
                                                          or al, al
                                                          je 00007F9E1C8AA2F8h
                                                          cmp ah, byte ptr [ecx+01h]
                                                          jne 00007F9E1C8AA2F7h
                                                          or ah, ah
                                                          je 00007F9E1C8AA2EFh
                                                          shr eax, 10h
                                                          cmp al, byte ptr [ecx+02h]
                                                          jne 00007F9E1C8AA2EBh
                                                          or al, al
                                                          je 00007F9E1C8AA2E3h
                                                          cmp ah, byte ptr [ecx+03h]
                                                          jne 00007F9E1C8AA2E2h
                                                          add ecx, 04h
                                                          add edx, 04h
                                                          or ah, ah
                                                          jne 00007F9E1C8AA2A4h
                                                          mov edi, edi
                                                          xor eax, eax
                                                          ret
                                                          nop

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2008 SP1 build 30729
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [RES] VS2008 build 21022
                                                          • [LNK] VS2008 SP1 build 30729
                                                          • [C++] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2a9840x8c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x2dc34.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x25e300x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x230000x244.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x216d20x21800False0.58252681903data6.61792755392IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rdata0x230000x86060x8800False0.339470358456data4.67908358324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x2c0000x83040x2400False0.259006076389PGP symmetric key encrypted data - Plaintext or unencrypted data4.16997777591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x350000x2dc340x2de00False0.0475668426431data2.66146906961IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x35ce40x90bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                          RT_ICON0x365f00x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                          RT_ICON0x46e180x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0x4b0400x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0x4d5e80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0x4e6900x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                          RT_DIALOG0x4eaf80x1d8data
                                                          RT_DIALOG0x4ecd00x1bedata
                                                          RT_STRING0x4ee900x48cdataArabicSaudi Arabia
                                                          RT_STRING0x4f31c0x48cdataCatalanSpain
                                                          RT_STRING0x4f7a80x48cdataChineseTaiwan
                                                          RT_STRING0x4fc340x48cdataCzechCzech Republic
                                                          RT_STRING0x500c00x48cdataDanishDenmark
                                                          RT_STRING0x5054c0x48cdataGermanGermany
                                                          RT_STRING0x509d80x48cdataGreekGreece
                                                          RT_STRING0x50e640x48cdataEnglishUnited States
                                                          RT_STRING0x512f00x48cdataFinnishFinland
                                                          RT_STRING0x5177c0x48cdataFrenchFrance
                                                          RT_STRING0x51c080x48cdataHebrewIsrael
                                                          RT_STRING0x520940x48cdataHungarianHungary
                                                          RT_STRING0x525200x48cdataItalianItaly
                                                          RT_STRING0x529ac0x48cdataJapaneseJapan
                                                          RT_STRING0x52e380x48cdataKoreanNorth Korea
                                                          RT_STRING0x52e380x48cdataKoreanSouth Korea
                                                          RT_STRING0x532c40x48cdataDutchNetherlands
                                                          RT_STRING0x537500x48cdataNorwegianNorway
                                                          RT_STRING0x53bdc0x48cdataPolishPoland
                                                          RT_STRING0x540680x48cdataPortugueseBrazil
                                                          RT_STRING0x544f40x48cdataRomanianRomania
                                                          RT_STRING0x549800x48cdataRussianRussia
                                                          RT_STRING0x54e0c0x48cdataCroatianCroatia
                                                          RT_STRING0x552980x48cdataSlovakSlovakia
                                                          RT_STRING0x557240x48cdataSwedishSweden
                                                          RT_STRING0x55bb00x48cdataThaiThailand
                                                          RT_STRING0x5603c0x48cdataTurkishTurkey
                                                          RT_STRING0x564c80x48cdataSlovenianSlovenia
                                                          RT_STRING0x569540x48cdataEstonianEstonia
                                                          RT_STRING0x56de00x48cdataLatvianLativa
                                                          RT_STRING0x5726c0x48cdataLithuanianLithuania
                                                          RT_STRING0x576f80x48cdataVietnameseVietnam
                                                          RT_STRING0x57b840x48cdataBasqueFrance
                                                          RT_STRING0x57b840x48cdataBasqueSpain
                                                          RT_STRING0x580100x48cdataChineseChina
                                                          RT_STRING0x5849c0x48cdataPortuguesePortugal
                                                          RT_STRING0x589280x48cdata
                                                          RT_STRING0x58db40x2f2dataArabicSaudi Arabia
                                                          RT_STRING0x590a80x2f2dataCatalanSpain
                                                          RT_STRING0x5939c0x2f2dataChineseTaiwan
                                                          RT_STRING0x596900x2f2dataCzechCzech Republic
                                                          RT_STRING0x599840x2f2dataDanishDenmark
                                                          RT_STRING0x59c780x2f2dataGermanGermany
                                                          RT_STRING0x59f6c0x2f2dataGreekGreece
                                                          RT_STRING0x5a2600x2f2dataEnglishUnited States
                                                          RT_STRING0x5a5540x2f2dataFinnishFinland
                                                          RT_STRING0x5a8480x2f2dataFrenchFrance
                                                          RT_STRING0x5ab3c0x2f2dataHebrewIsrael
                                                          RT_STRING0x5ae300x2f2dataHungarianHungary
                                                          RT_STRING0x5b1240x2f2dataItalianItaly
                                                          RT_STRING0x5b4180x2f2dataJapaneseJapan
                                                          RT_STRING0x5b70c0x2f2dataKoreanNorth Korea
                                                          RT_STRING0x5b70c0x2f2dataKoreanSouth Korea
                                                          RT_STRING0x5ba000x2f2dataDutchNetherlands
                                                          RT_STRING0x5bcf40x2f2dataNorwegianNorway
                                                          RT_STRING0x5bfe80x2f2dataPolishPoland
                                                          RT_STRING0x5c2dc0x2f2dataPortugueseBrazil
                                                          RT_STRING0x5c5d00x2f2dataRomanianRomania
                                                          RT_STRING0x5c8c40x2f2dataRussianRussia
                                                          RT_STRING0x5cbb80x2f2dataCroatianCroatia
                                                          RT_STRING0x5ceac0x2f2dataSlovakSlovakia
                                                          RT_STRING0x5d1a00x2f2dataSwedishSweden
                                                          RT_STRING0x5d4940x2f2dataThaiThailand
                                                          RT_STRING0x5d7880x2f2dataTurkishTurkey
                                                          RT_STRING0x5da7c0x2f2dataSlovenianSlovenia
                                                          RT_STRING0x5dd700x2f2dataEstonianEstonia
                                                          RT_STRING0x5e0640x2f2dataLatvianLativa
                                                          RT_STRING0x5e3580x2f2dataLithuanianLithuania
                                                          RT_STRING0x5e64c0x2f2dataVietnameseVietnam
                                                          RT_STRING0x5e9400x2f2dataBasqueFrance
                                                          RT_STRING0x5e9400x2f2dataBasqueSpain
                                                          RT_STRING0x5ec340x2f2dataChineseChina
                                                          RT_STRING0x5ef280x2f2dataPortuguesePortugal
                                                          RT_STRING0x5f21c0x2f2data
                                                          RT_STRING0x5f5100x106dataArabicSaudi Arabia
                                                          RT_STRING0x5f6180x106dataCatalanSpain
                                                          RT_STRING0x5f7200x106dataChineseTaiwan
                                                          RT_STRING0x5f8280x106dataCzechCzech Republic
                                                          RT_STRING0x5f9300x106dataDanishDenmark
                                                          RT_STRING0x5fa380x106dataGermanGermany
                                                          RT_STRING0x5fb400x106dataGreekGreece
                                                          RT_STRING0x5fc480x106dataEnglishUnited States
                                                          RT_STRING0x5fd500x106dataFinnishFinland
                                                          RT_STRING0x5fe580x106dataFrenchFrance
                                                          RT_STRING0x5ff600x106dataHebrewIsrael
                                                          RT_STRING0x600680x106dataHungarianHungary
                                                          RT_STRING0x601700x106dataItalianItaly
                                                          RT_STRING0x602780x106dataJapaneseJapan
                                                          RT_STRING0x603800x106dataKoreanNorth Korea
                                                          RT_STRING0x603800x106dataKoreanSouth Korea
                                                          RT_STRING0x604880x106dataDutchNetherlands
                                                          RT_STRING0x605900x106dataNorwegianNorway
                                                          RT_STRING0x606980x106dataPolishPoland
                                                          RT_STRING0x607a00x106dataPortugueseBrazil
                                                          RT_STRING0x608a80x106dataRomanianRomania
                                                          RT_STRING0x609b00x106dataRussianRussia
                                                          RT_STRING0x60ab80x106dataCroatianCroatia
                                                          RT_STRING0x60bc00x106dataSlovakSlovakia
                                                          RT_STRING0x60cc80x106dataSwedishSweden
                                                          RT_STRING0x60dd00x106dataThaiThailand
                                                          RT_STRING0x60ed80x106dataTurkishTurkey
                                                          RT_STRING0x60fe00x106dataSlovenianSlovenia
                                                          RT_STRING0x610e80x106dataEstonianEstonia
                                                          RT_STRING0x611f00x106dataLatvianLativa
                                                          RT_STRING0x612f80x106dataLithuanianLithuania
                                                          RT_STRING0x614000x106dataVietnameseVietnam
                                                          RT_STRING0x615080x106dataBasqueFrance
                                                          RT_STRING0x615080x106dataBasqueSpain
                                                          RT_STRING0x616100x106dataChineseChina
                                                          RT_STRING0x617180x106dataPortuguesePortugal
                                                          RT_STRING0x618200x106data
                                                          RT_GROUP_ICON0x619280x5adataEnglishUnited States
                                                          RT_VERSION0x619840xe40dataEnglishUnited States
                                                          RT_MANIFEST0x627c40x470XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllGetModuleFileNameW, LocalFree, FormatMessageW, FindClose, FindFirstFileW, FindNextFileW, GetLastError, CloseHandle, GetFileSize, SetFilePointer, ReadFile, SetFileTime, WriteFile, SetEndOfFile, GetCurrentDirectoryW, CreateFileW, GetStdHandle, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, VirtualAlloc, VirtualFree, GetVersionExW, WaitForSingleObject, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetWindowsDirectoryW, SetFileAttributesW, RemoveDirectoryW, DeleteFileW, GetShortPathNameW, GetTempPathW, GetTempFileNameW, lstrlenW, GetFullPathNameW, Sleep, GetVersion, LocalAlloc, SetCurrentDirectoryW, GetExitCodeProcess, CreateProcessW, GetCommandLineW, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, InitializeCriticalSectionAndSpinCount, GetLocaleInfoA, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, LoadLibraryA, GetSystemTimeAsFileTime, WideCharToMultiByte, MultiByteToWideChar, CreateDirectoryW, DeleteCriticalSection, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, HeapSize, ExitProcess, HeapCreate, IsDebuggerPresent, RaiseException, RtlUnwind, HeapAlloc, HeapFree, HeapReAlloc, ExitThread, CreateThread, GetCommandLineA, GetStartupInfoA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, TerminateProcess, GetCurrentProcess
                                                          USER32.dllCharUpperW, DestroyWindow, RegisterWindowMessageW, LoadIconW, KillTimer, SetTimer, SetDlgItemTextW, EndDialog, IsDlgButtonChecked, GetDlgItem, SetWindowTextW, PeekMessageW, MessageBoxW, GetDesktopWindow, SetForegroundWindow, DialogBoxParamW, SendMessageW, GetWindowLongW, SetWindowLongW, ShowWindow, GetWindowTextW, GetWindowTextLengthW, LoadStringW, PostMessageW
                                                          ADVAPI32.dllRegSetValueExW, RegCloseKey, RegCreateKeyExW
                                                          SHELL32.dllShellExecuteExW
                                                          ole32.dllCoInitialize, CoCreateInstance
                                                          OLEAUT32.dllSysAllocStringLen, SysAllocString, VariantClear, SysFreeString

                                                          Version Infos

                                                          DescriptionData
                                                          LegalCopyrightAll rights reserved
                                                          FileVersion1.5.1
                                                          CompanyNameLI-COR, Inc.
                                                          CommentsThis installation was built with InstallAware: http://www.installaware.com
                                                          ProductNameLI-180 Spectrometer
                                                          ProductVersion1.5.1 0, 0
                                                          FileDescriptionLI-COR Spectrum Installation
                                                          Translation0x0409 0x04e4

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States
                                                          ArabicSaudi Arabia
                                                          CatalanSpain
                                                          ChineseTaiwan
                                                          CzechCzech Republic
                                                          DanishDenmark
                                                          GermanGermany
                                                          GreekGreece
                                                          FinnishFinland
                                                          FrenchFrance
                                                          HebrewIsrael
                                                          HungarianHungary
                                                          ItalianItaly
                                                          JapaneseJapan
                                                          KoreanNorth Korea
                                                          KoreanSouth Korea
                                                          DutchNetherlands
                                                          NorwegianNorway
                                                          PolishPoland
                                                          PortugueseBrazil
                                                          RomanianRomania
                                                          RussianRussia
                                                          CroatianCroatia
                                                          SlovakSlovakia
                                                          SwedishSweden
                                                          ThaiThailand
                                                          TurkishTurkey
                                                          SlovenianSlovenia
                                                          EstonianEstonia
                                                          LatvianLativa
                                                          LithuanianLithuania
                                                          VietnameseVietnam
                                                          ChineseChina
                                                          PortuguesePortugal

                                                          Network Behavior

                                                          No network behavior found

                                                          Code Manipulations

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: LI180_win-1.5.1.exe PID: 6472 Parent PID: 5636

                                                          General

                                                          Start time:21:53:45
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\LI180_win-1.5.1.exe' -install
                                                          Imagebase:0x400000
                                                          File size:10630347 bytes
                                                          MD5 hash:77D64242FBD270B5363D383B51075783
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: LI180_win-1.5.1.exe PID: 6660 Parent PID: 5636

                                                          General

                                                          Start time:21:53:50
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /install
                                                          Imagebase:0x400000
                                                          File size:10630347 bytes
                                                          MD5 hash:77D64242FBD270B5363D383B51075783
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: LI-180_Installer.exe PID: 6704 Parent PID: 6472

                                                          General

                                                          Start time:21:53:51
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:.\LI-180_Installer.exe -install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
                                                          Imagebase:0x400000
                                                          File size:6156254 bytes
                                                          MD5 hash:A94344CD648287F3BC40B538AF42190B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000000.220729543.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: LI180_win-1.5.1.exe PID: 6960 Parent PID: 5636

                                                          General

                                                          Start time:21:53:55
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\Desktop\LI180_win-1.5.1.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /load
                                                          Imagebase:0x400000
                                                          File size:10630347 bytes
                                                          MD5 hash:77D64242FBD270B5363D383B51075783
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: wce, Description: wce, Source: 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, Author: Benjamin DELPY (gentilkiwi)
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: LI-180_Installer.exe PID: 7000 Parent PID: 6660

                                                          General

                                                          Start time:21:54:01
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:.\LI-180_Installer.exe /install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
                                                          Imagebase:0x400000
                                                          File size:6156254 bytes
                                                          MD5 hash:A94344CD648287F3BC40B538AF42190B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000000.240817220.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: LI-180_Installer.exe PID: 5740 Parent PID: 6960

                                                          General

                                                          Start time:21:54:08
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:.\LI-180_Installer.exe /load /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
                                                          Imagebase:0x400000
                                                          File size:6156254 bytes
                                                          MD5 hash:A94344CD648287F3BC40B538AF42190B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.257055940.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: msiexec.exe PID: 4856 Parent PID: 672

                                                          General

                                                          Start time:21:54:37
                                                          Start date:25/02/2021
                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 71E95B410ABC515A6ABA0566A4073125
                                                          Imagebase:0x10f0000
                                                          File size:59904 bytes
                                                          MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: x64DPInst.exe PID: 6588 Parent PID: 6704

                                                          General

                                                          Start time:21:54:39
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                                                          Imagebase:0x7ff6e8570000
                                                          File size:1050104 bytes
                                                          MD5 hash:BE3C79033FA8302002D9D3A6752F2263
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, Metadefender, Browse
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: drvinst.exe PID: 6048 Parent PID: 6616

                                                          General

                                                          Start time:21:54:41
                                                          Start date:25/02/2021
                                                          Path:C:\Windows\System32\drvinst.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001BC' 'WinSta0\Default' '00000000000001C0' '208' 'c:\progra~2\li-180~1\driver'
                                                          Imagebase:0x7ff75abc0000
                                                          File size:166912 bytes
                                                          MD5 hash:46F5A16FA391AB6EA97C602B4D2E7819
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: x86DPInst.exe PID: 4280 Parent PID: 6704

                                                          General

                                                          Start time:21:54:46
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                                                          Imagebase:0x3f0000
                                                          File size:921992 bytes
                                                          MD5 hash:30A0AFEE4AEA59772DB6434F1C0511AB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, Metadefender, Browse
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: msiexec.exe PID: 1844 Parent PID: 672

                                                          General

                                                          Start time:21:54:56
                                                          Start date:25/02/2021
                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding CCF296E1DF7FA7E357D3B10A86C0BEB2
                                                          Imagebase:0x10f0000
                                                          File size:59904 bytes
                                                          MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: x64DPInst.exe PID: 5156 Parent PID: 5740

                                                          General

                                                          Start time:21:55:00
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                                                          Imagebase:0x7ff718530000
                                                          File size:1050104 bytes
                                                          MD5 hash:BE3C79033FA8302002D9D3A6752F2263
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: x86DPInst.exe PID: 5944 Parent PID: 5740

                                                          General

                                                          Start time:21:55:03
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                                                          Imagebase:0x4d0000
                                                          File size:921992 bytes
                                                          MD5 hash:30A0AFEE4AEA59772DB6434F1C0511AB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: msiexec.exe PID: 6320 Parent PID: 672

                                                          General

                                                          Start time:21:55:15
                                                          Start date:25/02/2021
                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding FCA266DDB967C0E28D252C5FC68B1467
                                                          Imagebase:0x10f0000
                                                          File size:59904 bytes
                                                          MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: x64DPInst.exe PID: 1936 Parent PID: 7000

                                                          General

                                                          Start time:21:55:18
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                                                          Imagebase:0x7ff7fa230000
                                                          File size:1050104 bytes
                                                          MD5 hash:BE3C79033FA8302002D9D3A6752F2263
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: x86DPInst.exe PID: 6644 Parent PID: 7000

                                                          General

                                                          Start time:21:55:25
                                                          Start date:25/02/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
                                                          Imagebase:0x60000
                                                          File size:921992 bytes
                                                          MD5 hash:30A0AFEE4AEA59772DB6434F1C0511AB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: LI180_win-1.5.1.exe PID: 6472 Parent PID: 5636 LI180_win-1.5.1.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:15.2%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:6.4%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:25

                                                            Graph

                                                            execution_graph 16835 409322 FindNextFileW 16836 409354 16835->16836 16837 40935f 16835->16837 16841 409208 16836->16841 16845 416b12 16837->16845 16840 40936d 16842 409243 16841->16842 16853 4090ca 16842->16853 16844 409260 16844->16837 16846 416b1a 16845->16846 16847 416b1c IsDebuggerPresent 16845->16847 16846->16840 17234 41d30f 16847->17234 16850 419ac9 SetUnhandledExceptionFilter UnhandledExceptionFilter 16851 419ae6 __invoke_watson 16850->16851 16852 419aee GetCurrentProcess TerminateProcess 16850->16852 16851->16852 16852->16840 16854 4090e2 16853->16854 16857 40110f 16854->16857 16856 4090ec 16856->16844 16858 40111d 16857->16858 16860 401134 16857->16860 16861 408bd0 16858->16861 16860->16856 16866 417414 16861->16866 16864 408bf9 16864->16860 16867 4174c7 16866->16867 16874 417426 16866->16874 16868 41ada0 __calloc_impl 7 API calls 16867->16868 16870 4174cd 16868->16870 16869 417437 16869->16874 16887 4185cb 16869->16887 16896 418420 16869->16896 16930 41aa52 16869->16930 16872 41ad48 __locking 68 API calls 16870->16872 16873 408bdc 16872->16873 16873->16864 16884 4166e0 16873->16884 16874->16869 16874->16873 16877 417483 RtlAllocateHeap 16874->16877 16879 4174b3 16874->16879 16882 4174b8 16874->16882 16933 4173c5 16874->16933 16941 41ada0 16874->16941 16877->16874 16944 41ad48 16879->16944 16883 41ad48 __locking 68 API calls 16882->16883 16883->16873 16885 416715 RaiseException 16884->16885 16886 416709 16884->16886 16885->16864 16886->16885 16947 41c65e 16887->16947 16890 4185df 16892 418420 __NMSG_WRITE 69 API calls 16890->16892 16894 418601 16890->16894 16891 41c65e __set_error_mode 69 API calls 16891->16890 16893 4185f7 16892->16893 16895 418420 __NMSG_WRITE 69 API calls 16893->16895 16894->16869 16895->16894 16897 418434 16896->16897 16898 41c65e __set_error_mode 66 API calls 16897->16898 16929 41858f 16897->16929 16899 418456 16898->16899 16900 418594 GetStdHandle 16899->16900 16902 41c65e __set_error_mode 66 API calls 16899->16902 16901 4185a2 _strlen 16900->16901 16900->16929 16905 4185bb WriteFile 16901->16905 16901->16929 16903 418467 16902->16903 16903->16900 16904 418479 16903->16904 16904->16929 16972 41c152 16904->16972 16905->16929 16908 4184af GetModuleFileNameA 16910 4184cd 16908->16910 16917 4184f0 _strlen 16908->16917 16912 41c152 _strcpy_s 66 API calls 16910->16912 16913 4184dd 16912->16913 16915 41b20d __invoke_watson 10 API calls 16913->16915 16913->16917 16914 418533 16997 41c535 16914->16997 16915->16917 16917->16914 16988 41c5a9 16917->16988 16920 418557 16923 41c535 _strcat_s 66 API calls 16920->16923 16922 41b20d __invoke_watson 10 API calls 16922->16920 16924 41856b 16923->16924 16926 41857c 16924->16926 16927 41b20d __invoke_watson 10 API calls 16924->16927 16925 41b20d __invoke_watson 10 API calls 16925->16914 17006 41c3cc 16926->17006 16927->16926 16929->16869 17050 41aa27 GetModuleHandleW 16930->17050 16934 4173d1 type_info::_Type_info_dtor 16933->16934 16935 417402 type_info::_Type_info_dtor 16934->16935 17054 419ea7 16934->17054 16935->16874 16937 4173e7 17061 41a6b9 16937->17061 16942 41867f __decode_pointer 7 API calls 16941->16942 16943 41adb0 16942->16943 16943->16874 17153 41888f GetLastError 16944->17153 16946 41ad4d 16946->16882 16948 41c66d 16947->16948 16949 41ad48 __locking 69 API calls 16948->16949 16952 4185d2 16948->16952 16950 41c690 16949->16950 16953 41b335 16950->16953 16952->16890 16952->16891 16956 41867f TlsGetValue 16953->16956 16955 41b345 __invoke_watson 16957 418697 16956->16957 16958 4186b8 GetModuleHandleW 16956->16958 16957->16958 16959 4186a1 TlsGetValue 16957->16959 16960 4186d3 GetProcAddress 16958->16960 16961 4186c8 16958->16961 16964 4186ac 16959->16964 16963 4186b0 16960->16963 16968 41a9ce 16961->16968 16966 4186e3 RtlDecodePointer 16963->16966 16967 4186eb 16963->16967 16964->16958 16964->16963 16966->16967 16967->16955 16969 41a9d9 Sleep GetModuleHandleW 16968->16969 16970 41a9f7 16969->16970 16971 4186ce 16969->16971 16970->16969 16970->16971 16971->16960 16971->16967 16973 41c163 16972->16973 16974 41c16a 16972->16974 16973->16974 16977 41c190 16973->16977 16975 41ad48 __locking 69 API calls 16974->16975 16980 41c16f 16975->16980 16976 41b335 __locking 7 API calls 16978 41849b 16976->16978 16977->16978 16979 41ad48 __locking 69 API calls 16977->16979 16978->16908 16981 41b20d 16978->16981 16979->16980 16980->16976 17033 417d60 16981->17033 16983 41b23a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16984 41b316 GetCurrentProcess TerminateProcess 16983->16984 16987 41b30a __invoke_watson 16983->16987 16985 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16984->16985 16986 4184ac 16985->16986 16986->16908 16987->16984 16989 41c5bb 16988->16989 16991 418520 16989->16991 16993 41c5bf 16989->16993 16995 41c605 16989->16995 16990 41ad48 __locking 69 API calls 16992 41c5db 16990->16992 16991->16914 16991->16925 16994 41b335 __locking 7 API calls 16992->16994 16993->16990 16993->16991 16994->16991 16995->16991 16996 41ad48 __locking 69 API calls 16995->16996 16996->16992 16998 41c54d 16997->16998 17000 41c546 16997->17000 16999 41ad48 __locking 69 API calls 16998->16999 17005 41c552 16999->17005 17000->16998 17002 41c581 17000->17002 17001 41b335 __locking 7 API calls 17003 418546 17001->17003 17002->17003 17004 41ad48 __locking 69 API calls 17002->17004 17003->16920 17003->16922 17004->17005 17005->17001 17035 418676 17006->17035 17009 41c477 17013 41c4a1 17009->17013 17017 41867f __decode_pointer 7 API calls 17009->17017 17010 41c3ef LoadLibraryA 17011 41c404 GetProcAddress 17010->17011 17012 41c519 17010->17012 17011->17012 17014 41c41a 17011->17014 17012->16929 17016 41867f __decode_pointer 7 API calls 17013->17016 17032 41c4cc 17013->17032 17038 418604 TlsGetValue 17014->17038 17015 41867f __decode_pointer 7 API calls 17015->17012 17026 41c4e4 17016->17026 17019 41c494 17017->17019 17021 41867f __decode_pointer 7 API calls 17019->17021 17021->17013 17022 418604 __encode_pointer 7 API calls 17023 41c435 GetProcAddress 17022->17023 17024 418604 __encode_pointer 7 API calls 17023->17024 17025 41c44a GetProcAddress 17024->17025 17027 418604 __encode_pointer 7 API calls 17025->17027 17028 41867f __decode_pointer 7 API calls 17026->17028 17026->17032 17029 41c45f 17027->17029 17028->17032 17029->17009 17030 41c469 GetProcAddress 17029->17030 17031 418604 __encode_pointer 7 API calls 17030->17031 17031->17009 17032->17015 17034 417d6c __VEC_memzero 17033->17034 17034->16983 17036 418604 __encode_pointer 7 API calls 17035->17036 17037 41867d 17036->17037 17037->17009 17037->17010 17039 41863d GetModuleHandleW 17038->17039 17040 41861c 17038->17040 17041 418658 GetProcAddress 17039->17041 17042 41864d 17039->17042 17040->17039 17043 418626 TlsGetValue 17040->17043 17049 418635 17041->17049 17044 41a9ce __crt_waiting_on_module_handle 2 API calls 17042->17044 17045 418631 17043->17045 17046 418653 17044->17046 17045->17039 17045->17049 17046->17041 17047 418670 GetProcAddress 17046->17047 17047->17022 17048 418668 RtlEncodePointer 17048->17047 17049->17047 17049->17048 17051 41aa50 ExitProcess 17050->17051 17052 41aa3b GetProcAddress 17050->17052 17052->17051 17053 41aa4b 17052->17053 17053->17051 17055 419ebc 17054->17055 17056 419ecf EnterCriticalSection 17054->17056 17070 419de4 17055->17070 17056->16937 17058 419ec2 17058->17056 17096 41a9fe 17058->17096 17064 41a6e7 17061->17064 17062 41a780 17065 4173f2 17062->17065 17148 41a2d0 17062->17148 17064->17062 17064->17065 17141 41a220 17064->17141 17067 41740b 17065->17067 17152 419dcd LeaveCriticalSection 17067->17152 17069 417412 17069->16935 17071 419df0 type_info::_Type_info_dtor 17070->17071 17072 419e16 17071->17072 17073 4185cb __FF_MSGBANNER 69 API calls 17071->17073 17080 419e26 type_info::_Type_info_dtor 17072->17080 17103 41adc8 17072->17103 17075 419e05 17073->17075 17077 418420 __NMSG_WRITE 69 API calls 17075->17077 17081 419e0c 17077->17081 17078 419e47 17083 419ea7 __lock 69 API calls 17078->17083 17079 419e38 17082 41ad48 __locking 69 API calls 17079->17082 17080->17058 17084 41aa52 _malloc 3 API calls 17081->17084 17082->17080 17085 419e4e 17083->17085 17084->17072 17086 419e82 17085->17086 17087 419e56 17085->17087 17088 4174de type_info::_Type_info_dtor 69 API calls 17086->17088 17109 41d326 17087->17109 17090 419e73 17088->17090 17126 419e9e 17090->17126 17091 419e61 17091->17090 17113 4174de 17091->17113 17094 419e6d 17095 41ad48 __locking 69 API calls 17094->17095 17095->17090 17097 4185cb __FF_MSGBANNER 69 API calls 17096->17097 17098 41aa08 17097->17098 17099 418420 __NMSG_WRITE 69 API calls 17098->17099 17100 41aa10 17099->17100 17101 41867f __decode_pointer 7 API calls 17100->17101 17102 419ece 17101->17102 17102->17056 17105 41add1 17103->17105 17104 417414 _malloc 68 API calls 17104->17105 17105->17104 17106 419e31 17105->17106 17107 41ade8 Sleep 17105->17107 17106->17078 17106->17079 17108 41adfd 17107->17108 17108->17105 17108->17106 17129 417b6c 17109->17129 17111 41d332 InitializeCriticalSectionAndSpinCount 17112 41d376 type_info::_Type_info_dtor 17111->17112 17112->17091 17114 4174ea type_info::_Type_info_dtor 17113->17114 17115 417529 17114->17115 17117 419ea7 __lock 67 API calls 17114->17117 17118 417563 __dosmaperr type_info::_Type_info_dtor 17114->17118 17116 41753e RtlFreeHeap 17115->17116 17115->17118 17116->17118 17119 417550 17116->17119 17120 417501 ___sbh_find_block 17117->17120 17118->17094 17121 41ad48 __locking 67 API calls 17119->17121 17123 41751b 17120->17123 17130 419f0a 17120->17130 17122 417555 GetLastError 17121->17122 17122->17118 17137 417534 17123->17137 17140 419dcd LeaveCriticalSection 17126->17140 17128 419ea5 17128->17080 17129->17111 17131 419f49 17130->17131 17136 41a1eb 17130->17136 17132 41a135 VirtualFree 17131->17132 17131->17136 17133 41a199 17132->17133 17134 41a1a8 VirtualFree HeapFree 17133->17134 17133->17136 17135 416c30 ___sbh_free_block __VEC_memcpy 17134->17135 17135->17136 17136->17123 17138 419dcd _doexit LeaveCriticalSection 17137->17138 17139 41753b 17138->17139 17139->17115 17140->17128 17142 41a233 HeapReAlloc 17141->17142 17143 41a267 HeapAlloc 17141->17143 17145 41a255 17142->17145 17147 41a251 17142->17147 17144 41a28a VirtualAlloc 17143->17144 17143->17147 17146 41a2a4 HeapFree 17144->17146 17144->17147 17145->17143 17146->17147 17147->17062 17149 41a2e7 VirtualAlloc 17148->17149 17151 41a32e 17149->17151 17151->17065 17152->17069 17167 41871a TlsGetValue 17153->17167 17156 4188fc SetLastError 17156->16946 17159 41867f __decode_pointer 7 API calls 17160 4188d4 17159->17160 17161 4188f3 17160->17161 17162 4188db 17160->17162 17164 4174de type_info::_Type_info_dtor 66 API calls 17161->17164 17178 4187a8 17162->17178 17166 4188f9 17164->17166 17165 4188e3 GetCurrentThreadId 17165->17156 17166->17156 17168 41874a 17167->17168 17169 41872f 17167->17169 17168->17156 17172 41ae0d 17168->17172 17170 41867f __decode_pointer 7 API calls 17169->17170 17171 41873a TlsSetValue 17170->17171 17171->17168 17173 41ae16 17172->17173 17175 4188ba 17173->17175 17176 41ae34 Sleep 17173->17176 17197 41d3b6 17173->17197 17175->17156 17175->17159 17177 41ae49 17176->17177 17177->17173 17177->17175 17213 417b6c 17178->17213 17180 4187b4 GetModuleHandleW 17181 4187c4 17180->17181 17182 4187cb 17180->17182 17183 41a9ce __crt_waiting_on_module_handle 2 API calls 17181->17183 17184 4187e2 GetProcAddress GetProcAddress 17182->17184 17185 418806 17182->17185 17186 4187ca 17183->17186 17184->17185 17187 419ea7 __lock 65 API calls 17185->17187 17186->17182 17188 418825 InterlockedIncrement 17187->17188 17214 41887d 17188->17214 17191 419ea7 __lock 65 API calls 17192 418846 17191->17192 17217 41c7f2 InterlockedIncrement 17192->17217 17194 418864 17229 418886 17194->17229 17196 418871 type_info::_Type_info_dtor 17196->17165 17198 41d3c2 type_info::_Type_info_dtor 17197->17198 17199 41d3da 17198->17199 17209 41d3f9 _memset 17198->17209 17200 41ad48 __locking 68 API calls 17199->17200 17201 41d3df 17200->17201 17202 41b335 __locking 7 API calls 17201->17202 17204 41d3ef type_info::_Type_info_dtor 17202->17204 17203 41d46b RtlAllocateHeap 17203->17209 17204->17173 17205 41ada0 __calloc_impl 7 API calls 17205->17209 17206 419ea7 __lock 68 API calls 17206->17209 17207 41a6b9 ___sbh_alloc_block 5 API calls 17207->17209 17209->17203 17209->17204 17209->17205 17209->17206 17209->17207 17210 41d4b2 17209->17210 17211 419dcd _doexit LeaveCriticalSection 17210->17211 17212 41d4b9 17211->17212 17212->17209 17213->17180 17232 419dcd LeaveCriticalSection 17214->17232 17216 41883f 17216->17191 17218 41c810 InterlockedIncrement 17217->17218 17219 41c813 17217->17219 17218->17219 17220 41c820 17219->17220 17221 41c81d InterlockedIncrement 17219->17221 17222 41c82a InterlockedIncrement 17220->17222 17223 41c82d 17220->17223 17221->17220 17222->17223 17224 41c837 InterlockedIncrement 17223->17224 17226 41c83a 17223->17226 17224->17226 17225 41c853 InterlockedIncrement 17225->17226 17226->17225 17227 41c863 InterlockedIncrement 17226->17227 17228 41c86e InterlockedIncrement 17226->17228 17227->17226 17228->17194 17233 419dcd LeaveCriticalSection 17229->17233 17231 41888d 17231->17196 17232->17216 17233->17231 17234->16850 17235 413304 17238 413268 17235->17238 17237 41330c 17239 413274 __EH_prolog3 17238->17239 17244 4131b8 17239->17244 17241 41329c 17248 412ecf DeleteCriticalSection 17241->17248 17243 4132bc ~_Task_impl 17243->17237 17245 4131c1 17244->17245 17246 4131c5 DestroyWindow 17244->17246 17245->17241 17247 4131d5 17246->17247 17247->17241 17251 40fc1b 17248->17251 17250 412ee5 17250->17243 17252 40fc26 FindCloseChangeNotification 17251->17252 17255 40fc36 17251->17255 17253 40fc31 17252->17253 17252->17255 17256 40fbff GetLastError 17253->17256 17255->17250 17257 40fc09 17256->17257 17257->17255 17258 40d866 17259 4174de type_info::_Type_info_dtor 69 API calls 17258->17259 17260 40d86f 17259->17260 17261 4134e9 17264 4134a7 17261->17264 17263 4134f2 17265 4134b3 __EH_prolog3_catch 17264->17265 17270 413320 17265->17270 17267 4134cc 17301 412e93 17267->17301 17269 4134d3 ~_Task_impl 17269->17263 17271 41332c __EH_prolog3 17270->17271 17306 40320a 17271->17306 17275 413346 17276 41336b 17275->17276 17277 41334a 17275->17277 17315 40c59c 17276->17315 17383 408639 17277->17383 17279 413357 ~_Task_impl 17279->17267 17281 4133ab 17350 408bc5 17281->17350 17283 4133b9 17284 4133cd 17283->17284 17285 4133be 17283->17285 17354 404082 17284->17354 17287 408639 70 API calls 17285->17287 17287->17279 17288 4133d9 17357 4099df 17288->17357 17292 4133ee 17293 413432 17292->17293 17294 4133f2 17292->17294 17393 401647 17293->17393 17387 40c997 17294->17387 17297 41343f 17397 412551 17297->17397 17298 413401 17300 408639 70 API calls 17298->17300 17300->17279 18326 40fc41 WaitForSingleObject 17301->18326 17303 412e9e 17304 412ea5 PostMessageW 17303->17304 17305 412eb7 17303->17305 17304->17269 17305->17269 17307 40110f 70 API calls 17306->17307 17308 40321e 17307->17308 17309 409371 17308->17309 17310 40937d __EH_prolog3 17309->17310 17437 409263 17310->17437 17314 40939b ~_Task_impl 17314->17275 17316 40c5a8 __EH_prolog3 17315->17316 17317 408bd0 70 API calls 17316->17317 17318 40c5bc 17317->17318 17320 40c5ce 17318->17320 17517 40bb73 17318->17517 17321 40320a 70 API calls 17320->17321 17322 40c5f6 17321->17322 17323 40320a 70 API calls 17322->17323 17324 40c602 17323->17324 17325 40320a 70 API calls 17324->17325 17326 40c60e 17325->17326 17349 40c6d8 17326->17349 17525 4111e2 17326->17525 17330 40c700 17334 4096a4 70 API calls 17330->17334 17348 40c64c ~_Task_impl 17330->17348 17331 40c677 17536 408730 17331->17536 17332 40c63c GetLastError 17332->17348 17336 40c74a 17334->17336 17554 4087e6 17336->17554 17337 408639 70 API calls 17339 40c693 17337->17339 17539 408826 17339->17539 17342 4096a4 70 API calls 17346 40c757 17342->17346 17343 408639 70 API calls 17344 40c6bc 17343->17344 17542 40b902 17344->17542 17345 4087e6 70 API calls 17345->17346 17346->17342 17346->17345 17346->17348 17348->17281 17502 40c166 17349->17502 17351 408ba7 17350->17351 17352 408b5a ~_Task_impl 5 API calls 17351->17352 17353 408baf 17352->17353 17353->17283 17355 40110f 70 API calls 17354->17355 17356 40409c 17355->17356 17356->17288 17358 409a03 17357->17358 17359 4099ec 17357->17359 17361 410f49 17358->17361 17359->17358 17360 408670 70 API calls 17359->17360 17360->17358 17362 410f55 __EH_prolog3 17361->17362 17363 401647 70 API calls 17362->17363 17365 410f60 17363->17365 17364 410fa3 17366 404082 70 API calls 17364->17366 17365->17364 17367 406dda __VEC_memcpy 17365->17367 17376 410f8b ~_Task_impl 17365->17376 17378 410faf 17366->17378 17367->17364 17369 410fb8 GetLastError 17370 411021 17369->17370 17369->17378 17371 40320a 70 API calls 17370->17371 17373 411029 17371->17373 17372 408639 70 API calls 17381 411083 17372->17381 17374 409371 74 API calls 17373->17374 17377 41101f 17374->17377 17375 408730 70 API calls 17375->17378 17376->17292 17377->17372 17377->17376 17378->17369 17378->17375 17378->17376 17378->17377 17380 408639 70 API calls 17378->17380 18277 410b45 17378->18277 17379 408730 70 API calls 17379->17381 17380->17378 17381->17376 17381->17379 17382 410b45 74 API calls 17381->17382 17382->17381 17384 408645 17383->17384 17386 40865a 17383->17386 17385 40110f 70 API calls 17384->17385 17385->17386 17386->17279 17388 40c9a3 __EH_prolog3 17387->17388 18290 40c825 17388->18290 17392 40c9c3 ~_Task_impl 17392->17298 17394 40165e 17393->17394 17395 40110f 70 API calls 17394->17395 17396 401668 17395->17396 17396->17297 17398 41255d __EH_prolog3 17397->17398 17399 408639 70 API calls 17398->17399 17400 412581 17399->17400 17401 408639 70 API calls 17400->17401 17402 4125ad 17401->17402 17403 4099df 70 API calls 17402->17403 17404 4125ba 17403->17404 17405 40c825 71 API calls 17404->17405 17406 4125c5 17405->17406 17407 408639 70 API calls 17406->17407 17408 4125d4 17407->17408 17409 40c825 71 API calls 17408->17409 17410 4125ee 17409->17410 17411 408639 70 API calls 17410->17411 17412 412600 17411->17412 17413 40c825 71 API calls 17412->17413 17414 412617 17413->17414 17415 408639 70 API calls 17414->17415 17416 412629 17415->17416 17417 40c825 71 API calls 17416->17417 17418 412640 17417->17418 17419 408639 70 API calls 17418->17419 17420 412652 17419->17420 17421 40c825 71 API calls 17420->17421 17422 412669 17421->17422 17423 408639 70 API calls 17422->17423 17424 41267b 17423->17424 17425 40c825 71 API calls 17424->17425 17426 412692 17425->17426 17427 408639 70 API calls 17426->17427 17428 4126a4 17427->17428 17429 40c825 71 API calls 17428->17429 17430 4126bb 17429->17430 17431 408639 70 API calls 17430->17431 17432 4126cd 17431->17432 17433 40c825 71 API calls 17432->17433 17434 4126e4 17433->17434 17435 408639 70 API calls 17434->17435 17436 4126f6 ~_Task_impl 17435->17436 17436->17279 17438 409287 __EH_prolog3 17437->17438 17439 4091a4 FindClose 17438->17439 17440 40929d 17439->17440 17441 4092a1 17440->17441 17442 4092a5 FindFirstFileW 17440->17442 17445 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17441->17445 17443 4092b9 17442->17443 17452 4092de 17442->17452 17446 40320a 70 API calls 17443->17446 17444 409208 70 API calls 17444->17441 17447 409318 17445->17447 17448 4092c1 17446->17448 17453 4091a4 17447->17453 17456 409876 17448->17456 17451 4092d3 FindFirstFileW 17451->17452 17452->17441 17452->17444 17454 4091ae FindClose 17453->17454 17455 4091b9 17453->17455 17454->17455 17455->17314 17459 409724 17456->17459 17458 4092cf 17458->17451 17458->17452 17460 409730 __EH_prolog3 17459->17460 17461 40320a 70 API calls 17460->17461 17466 40983e ~_Task_impl 17460->17466 17463 409785 17461->17463 17462 4097c4 GetCurrentDirectoryW 17467 4097d7 17462->17467 17463->17462 17464 40110f 70 API calls 17463->17464 17465 409803 17463->17465 17464->17462 17468 401647 70 API calls 17465->17468 17466->17458 17467->17465 17467->17466 17476 408670 17467->17476 17469 409810 17468->17469 17479 4096a4 17469->17479 17472 409822 17485 4096e4 17472->17485 17474 409831 17475 408639 70 API calls 17474->17475 17475->17466 17491 4084ef 17476->17491 17480 4096b0 __EH_prolog3 17479->17480 17481 404082 70 API calls 17480->17481 17482 4096c3 17481->17482 17495 408fde 17482->17495 17484 4096d9 ~_Task_impl 17484->17472 17486 4096f0 __EH_prolog3 17485->17486 17487 404082 70 API calls 17486->17487 17488 409703 17487->17488 17498 40966c 17488->17498 17490 409719 ~_Task_impl 17490->17474 17492 408533 17491->17492 17493 408503 17491->17493 17492->17465 17494 40110f 70 API calls 17493->17494 17494->17492 17496 4084ef 70 API calls 17495->17496 17497 408fee 17496->17497 17497->17484 17499 409679 17498->17499 17500 4084ef 70 API calls 17499->17500 17501 409683 17500->17501 17501->17490 17514 40c176 __EH_prolog3 17502->17514 17503 40b9d7 70 API calls 17503->17514 17504 40c418 17507 409a4a VariantClear 17504->17507 17505 408639 70 API calls 17505->17514 17506 40c58b 17509 409a4a VariantClear 17506->17509 17515 40c18b 17507->17515 17509->17515 17514->17503 17514->17504 17514->17505 17514->17506 17514->17515 17516 40bb33 70 API calls 17514->17516 17562 40c093 17514->17562 17573 409a4a 17514->17573 17577 40ba1b 17514->17577 17602 40bd49 17514->17602 17646 40b7a3 17514->17646 17515->17330 17516->17514 17518 40bb7f __EH_prolog3 17517->17518 17519 40320a 70 API calls 17518->17519 17520 40bbc1 17519->17520 17521 40320a 70 API calls 17520->17521 17522 40bbcc 17521->17522 17523 40320a 70 API calls 17522->17523 17524 40bbd8 ~_Task_impl 17523->17524 17524->17320 18246 403fa3 17525->18246 17528 40c638 17528->17331 17528->17332 17529 411228 17529->17528 17530 403fa3 70 API calls 17529->17530 17534 411268 17529->17534 17533 41124f GetFullPathNameW 17530->17533 17531 411282 lstrlenW 17532 41128d 17531->17532 18250 411105 17532->18250 17533->17534 17534->17528 17534->17531 17534->17532 18266 40869c 17536->18266 17538 408745 17538->17337 17540 40869c 70 API calls 17539->17540 17541 408840 17540->17541 17541->17343 17543 40b90e __EH_prolog3 17542->17543 17544 408639 70 API calls 17543->17544 17545 40b91d 17544->17545 17546 4096a4 70 API calls 17545->17546 17547 40b92a 17546->17547 17548 409371 74 API calls 17547->17548 17549 40b939 17548->17549 17550 40b967 17549->17550 17551 4166e0 __CxxThrowException@8 RaiseException 17549->17551 17552 408b5a ~_Task_impl 5 API calls 17550->17552 17551->17550 17553 40b96f ~_Task_impl 17552->17553 17553->17349 17555 4087f2 __EH_prolog3 17554->17555 17556 408bd0 70 API calls 17555->17556 17557 4087fb 17556->17557 17558 408812 17557->17558 17559 404082 70 API calls 17557->17559 17560 40105e 70 API calls 17558->17560 17559->17558 17561 40881e ~_Task_impl 17560->17561 17561->17346 17563 40c09f __EH_prolog3 17562->17563 17564 40c0b8 17563->17564 17565 40c0df 17563->17565 17567 408bd0 70 API calls 17564->17567 17566 40c0bf 17565->17566 17569 408bd0 70 API calls 17565->17569 17568 40bd49 122 API calls 17566->17568 17567->17566 17570 40c13c ~_Task_impl 17568->17570 17571 40c0eb 17569->17571 17570->17514 17571->17566 17572 40c117 GetLastError 17571->17572 17572->17570 17574 409a08 17573->17574 17575 409a29 VariantClear 17574->17575 17576 409a40 17574->17576 17575->17514 17576->17514 17578 40ba27 __EH_prolog3 17577->17578 17579 40ba62 17578->17579 17580 40ba4f 17578->17580 17582 40ba78 17579->17582 17583 40ba69 17579->17583 17581 409a4a VariantClear 17580->17581 17590 40ba5b ~_Task_impl 17581->17590 17585 40ba76 17582->17585 17586 40bb1a 17582->17586 17584 4090ca 70 API calls 17583->17584 17584->17585 17588 409a4a VariantClear 17585->17588 17587 409a4a VariantClear 17586->17587 17587->17590 17589 40ba9b 17588->17589 17589->17590 17591 408639 70 API calls 17589->17591 17590->17514 17592 40baab 17591->17592 17593 40bad1 17592->17593 17594 40baea 17592->17594 17595 40bb0d 17592->17595 17597 409a4a VariantClear 17593->17597 17598 408670 70 API calls 17594->17598 17595->17593 17596 40bafd 17595->17596 17599 409a4a VariantClear 17596->17599 17597->17590 17600 40baf3 17598->17600 17599->17590 17601 40966c 70 API calls 17600->17601 17601->17596 17603 40bd55 __EH_prolog3 17602->17603 17650 40908d 17603->17650 17606 40320a 70 API calls 17607 40bd81 17606->17607 17609 408826 70 API calls 17607->17609 17615 40bdae 17607->17615 17608 40bdd7 17686 40105e 17608->17686 17612 40bda1 17609->17612 17611 40be29 17621 40bde2 17611->17621 17642 40be34 17611->17642 17696 408a4d 17611->17696 17614 408639 70 API calls 17612->17614 17614->17615 17615->17608 17620 40bde7 17615->17620 17617 408bc5 ~_Task_impl 5 API calls 17622 40be45 ~_Task_impl 17617->17622 17619 40105e 70 API calls 17619->17620 17620->17611 17620->17619 17689 40b987 17620->17689 17693 40b786 17620->17693 17624 40bf62 17621->17624 17621->17642 17654 409f8a 17621->17654 17660 403975 17621->17660 17680 40469f 17621->17680 17622->17514 17623 40bfbf 17625 409a4a VariantClear 17623->17625 17624->17623 17626 4090ca 70 API calls 17624->17626 17624->17642 17627 40bfcb 17625->17627 17626->17623 17628 40c043 17627->17628 17629 40bfe5 17627->17629 17630 40b987 2 API calls 17628->17630 17631 401647 70 API calls 17629->17631 17632 40c04e 17630->17632 17633 40bff3 17631->17633 17635 40b72f 72 API calls 17632->17635 17634 401647 70 API calls 17633->17634 17636 40c000 17634->17636 17637 40c06c 17635->17637 17700 40b72f 17636->17700 17639 408639 70 API calls 17637->17639 17639->17642 17640 40c019 17641 408639 70 API calls 17640->17641 17641->17642 17642->17617 17647 40b7af __EH_prolog3 17646->17647 17648 409a4a VariantClear 17647->17648 17649 40b7ee ~_Task_impl 17648->17649 17649->17514 17651 40909e 17650->17651 17652 408826 70 API calls 17651->17652 17653 4090c3 17652->17653 17653->17606 17655 409f93 17654->17655 17656 409f9a 17654->17656 17655->17621 17706 4094d4 SetFilePointer 17656->17706 17661 403981 __EH_prolog3_catch_GS 17660->17661 17662 40469f 73 API calls 17661->17662 17663 4039f6 17662->17663 17664 403a31 17663->17664 17665 4039fc 17663->17665 17667 40320a 70 API calls 17664->17667 17716 4037b0 17665->17716 17668 403a45 17667->17668 17712 4060ec 17668->17712 17677 403a08 17725 416c1c 17677->17725 17681 4046b0 17680->17681 17685 409f8a 3 API calls 17681->17685 17682 4046c4 17683 4046d4 17682->17683 18111 404515 17682->18111 17683->17621 17685->17682 18121 408b62 17686->18121 17690 40b992 17689->17690 17691 40b9af 17689->17691 17690->17691 18125 4089e5 17690->18125 17691->17620 18129 408b8a 17693->18129 17697 408a5e 17696->17697 17699 40fc1b 2 API calls 17696->17699 18137 401a63 17696->18137 17697->17621 17699->17697 17701 40b73b __EH_prolog3 17700->17701 18199 40b644 17701->18199 17703 40b754 18220 40898e 17703->18220 17705 40b767 ~_Task_impl 17705->17640 17707 4094fd GetLastError 17706->17707 17708 409507 17706->17708 17707->17708 17709 409e0f 17708->17709 17710 409e16 17709->17710 17711 409e1a GetLastError 17709->17711 17710->17655 17711->17710 17713 4060f8 __EH_prolog3_catch 17712->17713 17728 405e50 17713->17728 17717 4037bc __EH_prolog3 17716->17717 18091 40331a 17717->18091 17719 4037cd ~_Task_impl 17719->17677 17726 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17725->17726 17727 416c26 17726->17727 17727->17727 17729 405e5c __EH_prolog3 17728->17729 17747 403043 17729->17747 17893 402fb4 17747->17893 17894 408b5a ~_Task_impl 5 API calls 17893->17894 17895 402fbd 17894->17895 17896 408b5a ~_Task_impl 5 API calls 17895->17896 17897 402fc5 17896->17897 17898 408b5a ~_Task_impl 5 API calls 17897->17898 17899 402fcd 17898->17899 17900 408b5a ~_Task_impl 5 API calls 17899->17900 17901 402fd5 17900->17901 17902 408b5a ~_Task_impl 5 API calls 17901->17902 17903 402fdd 17902->17903 17904 408b5a ~_Task_impl 5 API calls 17903->17904 17905 402fe5 17904->17905 17906 408b5a ~_Task_impl 5 API calls 17905->17906 17907 402fef 17906->17907 17908 408b5a ~_Task_impl 5 API calls 17907->17908 17909 402ff7 17908->17909 17910 408b5a ~_Task_impl 5 API calls 17909->17910 17911 403004 17910->17911 17912 408b5a ~_Task_impl 5 API calls 17911->17912 17913 40300c 17912->17913 17914 408b5a ~_Task_impl 5 API calls 17913->17914 17915 403019 17914->17915 17916 408b5a ~_Task_impl 5 API calls 17915->17916 17917 403021 17916->17917 17918 408b5a ~_Task_impl 5 API calls 17917->17918 17919 40302e 17918->17919 17920 408b5a ~_Task_impl 5 API calls 17919->17920 17921 403036 17920->17921 18092 403326 __EH_prolog3 18091->18092 18093 408b5a ~_Task_impl 5 API calls 18092->18093 18094 40333a 18093->18094 18095 408bc5 ~_Task_impl 5 API calls 18094->18095 18096 403345 ~_Task_impl 18095->18096 18096->17719 18112 404521 __EH_prolog3 18111->18112 18113 40b06f GetLastError 18112->18113 18114 404531 18113->18114 18115 40140a 70 API calls 18114->18115 18116 404544 ~_Task_impl 18114->18116 18118 404568 ___crtGetEnvironmentStringsA 18115->18118 18116->17683 18117 416c30 ___sbh_free_block __VEC_memcpy 18117->18118 18118->18116 18118->18117 18119 404651 ___crtGetEnvironmentStringsA 18118->18119 18120 409f8a 3 API calls 18119->18120 18120->18116 18122 401066 18121->18122 18123 408b6a 18121->18123 18122->17621 18124 408a61 70 API calls 18123->18124 18124->18122 18126 4089f2 18125->18126 18127 408a0b CharUpperW CharUpperW 18126->18127 18128 408a2d 18126->18128 18127->18126 18127->18128 18128->17690 18130 408b62 70 API calls 18129->18130 18131 408b92 18130->18131 18134 408afb 18131->18134 18135 416c30 ___sbh_free_block __VEC_memcpy 18134->18135 18136 408b23 18135->18136 18136->17620 18142 401a78 18137->18142 18138 401aa6 18157 408b29 18138->18157 18142->18138 18143 40177a 18142->18143 18144 401786 __EH_prolog3 18143->18144 18145 408bc5 ~_Task_impl 5 API calls 18144->18145 18146 40179d 18145->18146 18147 408bc5 ~_Task_impl 5 API calls 18146->18147 18148 4017ac 18147->18148 18161 4015e5 18148->18161 18150 4017bb 18167 401489 18150->18167 18152 4017c7 18173 40b173 18152->18173 18156 4017de ~_Task_impl 18156->18142 18158 408b3d 18157->18158 18159 401ab4 18158->18159 18160 408afb __VEC_memcpy 18158->18160 18159->17697 18160->18159 18162 4015f1 __EH_prolog3 18161->18162 18163 408b5a ~_Task_impl 5 API calls 18162->18163 18164 401605 18163->18164 18165 408bc5 ~_Task_impl 5 API calls 18164->18165 18166 401610 ~_Task_impl 18165->18166 18166->18150 18168 401495 __EH_prolog3 18167->18168 18169 408b5a ~_Task_impl 5 API calls 18168->18169 18170 4014a9 18169->18170 18171 408bc5 ~_Task_impl 5 API calls 18170->18171 18172 4014b4 ~_Task_impl 18171->18172 18172->18152 18174 40b18a 18173->18174 18176 40b190 18173->18176 18195 40fca0 SetEvent 18174->18195 18177 40b19f 18176->18177 18198 40fc41 WaitForSingleObject 18176->18198 18179 40fc1b ctype 2 API calls 18177->18179 18180 40b1a5 18179->18180 18181 40fc1b ctype 2 API calls 18180->18181 18182 40b1ae 18181->18182 18183 40fc1b ctype 2 API calls 18182->18183 18184 4017d2 18183->18184 18185 40157a 18184->18185 18186 401586 __EH_prolog3 18185->18186 18187 408bc5 ~_Task_impl 5 API calls 18186->18187 18188 40159a 18187->18188 18189 408bc5 ~_Task_impl 5 API calls 18188->18189 18190 4015a6 18189->18190 18191 408bc5 ~_Task_impl 5 API calls 18190->18191 18192 4015b2 18191->18192 18193 408bc5 ~_Task_impl 5 API calls 18192->18193 18194 4015be ~_Task_impl 18193->18194 18194->18156 18196 40fc0b GetLastError 18195->18196 18197 40fcb2 18196->18197 18197->18176 18198->18177 18201 40b650 __EH_prolog3 18199->18201 18200 40b6d0 18203 40b701 18200->18203 18204 40b6dd 18200->18204 18201->18200 18202 408826 70 API calls 18201->18202 18205 40b680 18202->18205 18208 40b71a 18203->18208 18209 40b70a 18203->18209 18206 408730 70 API calls 18204->18206 18207 4089e5 ctype 2 API calls 18205->18207 18211 40b6e9 18206->18211 18212 40b68d 18207->18212 18210 4096a4 70 API calls 18208->18210 18213 4096e4 70 API calls 18209->18213 18215 40b6c5 ~_Task_impl 18210->18215 18214 4096a4 70 API calls 18211->18214 18212->18200 18216 40b6a6 18212->18216 18213->18215 18214->18215 18215->17703 18217 408730 70 API calls 18216->18217 18218 40b6b2 18217->18218 18219 4096a4 70 API calls 18218->18219 18219->18215 18225 408768 18220->18225 18222 4089a0 18235 40887e 18222->18235 18224 4089a8 18224->17705 18226 408774 __EH_prolog3 18225->18226 18227 40320a 70 API calls 18226->18227 18228 408786 18227->18228 18229 408670 70 API calls 18228->18229 18230 40879a 18229->18230 18231 408670 70 API calls 18230->18231 18232 4087a3 18231->18232 18233 408670 70 API calls 18232->18233 18234 4087ac ~_Task_impl 18233->18234 18234->18222 18236 4088c9 18235->18236 18237 40888f 18235->18237 18236->18224 18237->18236 18239 406dda 18237->18239 18240 406df0 18239->18240 18241 406e04 18240->18241 18243 406db3 18240->18243 18241->18236 18244 416c30 ___sbh_free_block __VEC_memcpy 18243->18244 18245 406dd4 18244->18245 18245->18241 18247 403fb5 GetFullPathNameW 18246->18247 18248 403faf 18246->18248 18247->17529 18249 40110f 70 API calls 18248->18249 18249->18247 18252 411111 __EH_prolog3 _wcslen 18250->18252 18251 4111c8 ~_Task_impl 18251->17528 18252->18251 18262 410dd8 18252->18262 18255 410dd8 70 API calls 18256 411162 18255->18256 18257 408730 70 API calls 18256->18257 18260 411191 18256->18260 18258 41117c 18257->18258 18259 4089e5 ctype 2 API calls 18258->18259 18259->18260 18260->18251 18261 408670 70 API calls 18260->18261 18261->18260 18263 410de6 _wcslen 18262->18263 18264 401647 70 API calls 18263->18264 18265 410e11 18264->18265 18265->18255 18268 4086a8 __EH_prolog3 18266->18268 18267 4086d5 18269 40320a 70 API calls 18267->18269 18268->18267 18270 4086ca 18268->18270 18272 4086dd 18269->18272 18271 404082 70 API calls 18270->18271 18276 4086d3 ~_Task_impl 18271->18276 18273 40110f 70 API calls 18272->18273 18274 4086ea 18273->18274 18275 404082 70 API calls 18274->18275 18275->18276 18276->17538 18289 416b21 18277->18289 18279 410b51 CreateDirectoryW 18280 410b66 GetLastError 18279->18280 18286 410b62 ~_Task_impl 18279->18286 18281 410b73 18280->18281 18280->18286 18282 40320a 70 API calls 18281->18282 18283 410b7b 18282->18283 18284 409876 71 API calls 18283->18284 18285 410b8b 18284->18285 18285->18286 18287 410b8f CreateDirectoryW 18285->18287 18286->17378 18288 410ba0 18287->18288 18288->18286 18289->18279 18301 409be1 18290->18301 18293 40c93e 18294 40c94a __EH_prolog3 18293->18294 18295 404082 70 API calls 18294->18295 18296 40c95d 18295->18296 18297 401647 70 API calls 18296->18297 18298 40c971 18297->18298 18311 40c8c5 18298->18311 18300 40c983 ~_Task_impl 18300->17392 18304 409b71 18301->18304 18303 409bfa 18303->18293 18305 409b7d __EH_prolog3 18304->18305 18306 40320a 70 API calls 18305->18306 18307 409b8f 18306->18307 18308 403fa3 70 API calls 18307->18308 18309 409bb0 LoadStringW 18308->18309 18309->18307 18310 409bc6 ~_Task_impl 18309->18310 18310->18303 18312 40c8d7 18311->18312 18313 40c8db 18311->18313 18312->18300 18313->18312 18314 406dda __VEC_memcpy 18313->18314 18316 40c86e 18313->18316 18314->18313 18317 40c87d 18316->18317 18319 40c896 18317->18319 18320 40c83f 18317->18320 18319->18313 18321 40c84f 18320->18321 18322 4084ef 70 API calls 18321->18322 18323 40c85b 18322->18323 18324 406db3 __VEC_memcpy 18323->18324 18325 40c868 18324->18325 18325->18319 18326->17303 18327 40756b 18328 407578 18327->18328 18330 40757f 18327->18330 18331 407512 18328->18331 18332 40751e __EH_prolog3 18331->18332 18343 4070dc 18332->18343 18334 407535 18347 4070ab 18334->18347 18336 407541 18337 4070ab VirtualFree 18336->18337 18338 40754d 18337->18338 18339 4070ab VirtualFree 18338->18339 18340 407559 18339->18340 18341 4070ab VirtualFree 18340->18341 18342 407565 ~_Task_impl 18341->18342 18342->18330 18344 4070e8 __EH_prolog3 18343->18344 18351 40aaba 18344->18351 18346 4070f6 ~_Task_impl 18346->18334 18348 4070b7 __EH_prolog3 18347->18348 18357 40a897 18348->18357 18350 4070c5 ~_Task_impl 18350->18336 18354 40d894 18351->18354 18355 40d89b VirtualFree 18354->18355 18356 40aac4 18354->18356 18355->18356 18356->18346 18358 40d894 VirtualFree 18357->18358 18359 40a8a2 18358->18359 18359->18350 18360 411f51 18361 411f5e 18360->18361 18366 411f73 18360->18366 18369 411c5d KillTimer 18361->18369 18364 411f69 18364->18366 18367 411f8c 18364->18367 18365 411f8a 18370 4107bb 18366->18370 18394 411eba EndDialog 18367->18394 18369->18364 18371 4107d0 18370->18371 18375 41088b 18370->18375 18372 4108e1 18371->18372 18373 4107d9 18371->18373 18374 4108e8 GetDesktopWindow SetForegroundWindow 18372->18374 18372->18375 18373->18375 18376 4108b1 18373->18376 18377 4107f6 18373->18377 18374->18375 18375->18365 18407 41203e 18376->18407 18434 411a09 SetWindowTextW 18376->18434 18435 410729 SendMessageW 18376->18435 18377->18375 18378 410893 18377->18378 18379 410805 18377->18379 18395 411ec8 18378->18395 18381 410810 ShowWindow 18379->18381 18382 41084b 18379->18382 18380 4108b8 SetEvent 18380->18375 18383 41081b PeekMessageW 18381->18383 18382->18375 18384 410850 ShowWindow 18382->18384 18383->18383 18385 41082d 18383->18385 18386 41085b PeekMessageW 18384->18386 18436 41079e DialogBoxParamW 18385->18436 18386->18386 18388 41086d MessageBoxW SetEvent 18386->18388 18388->18375 18389 41083c SetEvent 18389->18382 18394->18365 18437 411cfc EnterCriticalSection LeaveCriticalSection 18395->18437 18397 411edc 18406 411f1d __aulldiv 18397->18406 18438 411e99 18397->18438 18401 411ef7 18402 411f07 18401->18402 18403 411f10 18401->18403 18446 411ddf 18402->18446 18442 411e2a 18403->18442 18406->18375 18450 416b21 18407->18450 18409 41204a GetDlgItem 18410 412097 SetTimer 18409->18410 18411 412077 LoadIconW SendMessageW 18409->18411 18451 411a09 SetWindowTextW 18410->18451 18411->18410 18413 4120b1 18414 411e99 PostMessageW 18413->18414 18415 4120b8 18414->18415 18416 40320a 70 API calls 18415->18416 18417 4120c0 18416->18417 18418 40c825 71 API calls 18417->18418 18419 4120ce 18418->18419 18420 408639 70 API calls 18419->18420 18421 4120db 18420->18421 18422 4120e6 SetDlgItemTextW 18421->18422 18423 40320a 70 API calls 18422->18423 18424 412101 18423->18424 18425 40c825 71 API calls 18424->18425 18426 412110 18425->18426 18427 408639 70 API calls 18426->18427 18428 41211d 18427->18428 18429 412129 SetDlgItemTextW 18428->18429 18452 410729 SendMessageW 18429->18452 18431 41213f 18432 40fca0 2 API calls 18431->18432 18433 41214e ~_Task_impl 18432->18433 18433->18380 18434->18380 18435->18380 18436->18389 18437->18397 18439 411ea2 PostMessageW 18438->18439 18440 411eb8 18438->18440 18439->18440 18441 411d6e EnterCriticalSection LeaveCriticalSection 18440->18441 18441->18401 18443 411e3f 18442->18443 18445 411e89 18443->18445 18449 411c72 SendMessageW 18443->18449 18445->18406 18447 411e06 18446->18447 18448 411e13 SendMessageW 18447->18448 18448->18403 18449->18445 18450->18409 18451->18413 18452->18431 18453 412970 18515 411cbc EnterCriticalSection LeaveCriticalSection 18453->18515 18455 41298e 18456 41298a 18456->18455 18457 40320a 70 API calls 18456->18457 18511 4129c7 18456->18511 18459 4129df 18457->18459 18458 409a4a VariantClear 18458->18455 18460 4129f3 18459->18460 18461 4129e5 18459->18461 18463 4090ca 70 API calls 18460->18463 18460->18511 18462 408639 70 API calls 18461->18462 18464 4129f1 18462->18464 18463->18464 18465 408639 70 API calls 18464->18465 18470 412a21 18465->18470 18466 412a4c 18467 409a4a VariantClear 18466->18467 18467->18511 18468 412a76 18469 409a4a VariantClear 18468->18469 18469->18511 18470->18466 18470->18468 18471 412ad0 18470->18471 18472 412add 18470->18472 18507 412d44 18470->18507 18473 409a4a VariantClear 18471->18473 18474 409a4a VariantClear 18472->18474 18473->18466 18475 412af4 18474->18475 18475->18466 18476 412b10 18475->18476 18476->18468 18516 40900b 18476->18516 18478 412b60 18479 412b72 18478->18479 18480 412b65 18478->18480 18481 404082 70 API calls 18479->18481 18550 4085b9 18480->18550 18484 412b7e 18481->18484 18483 412ba0 18485 4096a4 70 API calls 18483->18485 18484->18483 18527 412707 18484->18527 18487 412bb1 18485->18487 18488 412bb6 18487->18488 18489 412c0c 18487->18489 18491 408639 70 API calls 18488->18491 18490 40320a 70 API calls 18489->18490 18492 412c14 18490->18492 18493 412bc4 18491->18493 18496 409371 74 API calls 18492->18496 18494 412bd2 18493->18494 18495 412bc9 18493->18495 18535 4109de 18494->18535 18556 410ae4 18495->18556 18499 412c1f 18496->18499 18512 412c47 18499->18512 18566 410bbb 18499->18566 18501 408639 70 API calls 18501->18507 18502 412bd0 18505 4085b9 ~_Task_impl 5 API calls 18502->18505 18503 412c2b 18506 408639 70 API calls 18503->18506 18503->18512 18504 408bd0 70 API calls 18504->18512 18508 412bf6 18505->18508 18506->18512 18509 409a4a VariantClear 18508->18509 18509->18511 18511->18458 18512->18504 18513 412d10 18512->18513 18514 408639 70 API calls 18512->18514 18547 40999d 18512->18547 18513->18501 18514->18512 18515->18456 18517 409017 __EH_prolog3 18516->18517 18518 408b5a ~_Task_impl 5 API calls 18517->18518 18519 40901f 18518->18519 18520 40320a 70 API calls 18519->18520 18526 409027 18520->18526 18521 409070 18522 4087e6 70 API calls 18521->18522 18523 40907c ~_Task_impl 18522->18523 18523->18478 18524 4087e6 70 API calls 18524->18526 18525 408670 70 API calls 18525->18526 18526->18521 18526->18523 18526->18524 18526->18525 18528 412713 __EH_prolog3 18527->18528 18529 404082 70 API calls 18528->18529 18531 41271f 18529->18531 18530 408fde 70 API calls 18530->18531 18531->18530 18532 410b45 74 API calls 18531->18532 18533 412752 ~_Task_impl 18531->18533 18534 408670 70 API calls 18531->18534 18532->18531 18533->18483 18534->18531 18579 416b21 18535->18579 18537 4109ea CreateFileW 18538 410a11 18537->18538 18539 410a3f 18537->18539 18540 40320a 70 API calls 18538->18540 18541 410a50 SetFileTime FindCloseChangeNotification 18539->18541 18543 410a70 ~_Task_impl 18539->18543 18542 410a19 18540->18542 18541->18543 18544 409876 71 API calls 18542->18544 18543->18502 18545 410a29 18544->18545 18545->18539 18546 410a2d CreateFileW 18545->18546 18546->18539 18580 409986 18547->18580 18551 4085c5 __EH_prolog3 18550->18551 18552 408b5a ~_Task_impl 5 API calls 18551->18552 18553 4085d9 18552->18553 18554 408bc5 ~_Task_impl 5 API calls 18553->18554 18555 4085e4 ~_Task_impl 18554->18555 18555->18468 18601 416b21 18556->18601 18558 410af0 RemoveDirectoryW 18559 410b03 18558->18559 18565 410aff ~_Task_impl 18558->18565 18560 40320a 70 API calls 18559->18560 18561 410b0b 18560->18561 18562 409876 71 API calls 18561->18562 18563 410b1b 18562->18563 18564 410b22 RemoveDirectoryW 18563->18564 18563->18565 18564->18565 18565->18502 18567 410bc7 __EH_prolog3 18566->18567 18602 410a7a 18567->18602 18569 410bd1 18570 410bd5 DeleteFileW 18569->18570 18573 410be4 ~_Task_impl 18569->18573 18571 410be8 18570->18571 18570->18573 18572 40320a 70 API calls 18571->18572 18574 410bf0 18572->18574 18573->18503 18575 409876 71 API calls 18574->18575 18576 410c00 18575->18576 18576->18573 18577 410c07 DeleteFileW 18576->18577 18578 410c13 18577->18578 18578->18573 18579->18537 18583 409969 18580->18583 18586 409899 18583->18586 18585 409983 18585->18512 18587 4098a5 __EH_prolog3 18586->18587 18598 409469 18587->18598 18590 4098b0 CreateFileW 18591 4098d2 18590->18591 18592 409902 ~_Task_impl 18590->18592 18593 40320a 70 API calls 18591->18593 18592->18585 18594 4098da 18593->18594 18595 409876 71 API calls 18594->18595 18596 4098e9 18595->18596 18596->18592 18597 4098ed CreateFileW 18596->18597 18597->18592 18599 409473 FindCloseChangeNotification 18598->18599 18600 40947e 18598->18600 18599->18600 18600->18590 18600->18592 18601->18558 18613 416b21 18602->18613 18604 410a86 SetFileAttributesW 18605 410a9c 18604->18605 18608 410a98 ~_Task_impl 18604->18608 18606 40320a 70 API calls 18605->18606 18607 410aa4 18606->18607 18609 409876 71 API calls 18607->18609 18608->18569 18610 410ab4 18609->18610 18610->18608 18611 410ab8 SetFileAttributesW 18610->18611 18612 410aca 18611->18612 18612->18608 18613->18604 18614 409535 ReadFile 18615 402a96 18625 402769 18615->18625 18617 40278e 18619 40246d 5 API calls 18617->18619 18618 408bd0 70 API calls 18618->18625 18620 4027ae 18619->18620 18635 40232f 18620->18635 18621 40246d 5 API calls 18621->18625 18624 40232f ~_Task_impl 5 API calls 18624->18625 18625->18617 18625->18618 18625->18621 18625->18624 18626 40288e 18625->18626 18631 401adb 119 API calls 18625->18631 18632 40ac17 18625->18632 18641 402b81 18625->18641 18627 40246d 5 API calls 18626->18627 18628 4028bf 18627->18628 18629 40232f ~_Task_impl 5 API calls 18628->18629 18630 4026f5 18629->18630 18631->18625 18645 4124da 18632->18645 18636 40233b __EH_prolog3 18635->18636 18637 408b5a ~_Task_impl 5 API calls 18636->18637 18638 40234f 18637->18638 18639 408bc5 ~_Task_impl 5 API calls 18638->18639 18640 40235a ~_Task_impl 18639->18640 18640->18630 18642 402b8d __EH_prolog3 18641->18642 18643 408bd0 70 API calls 18642->18643 18644 402bc1 ~_Task_impl 18643->18644 18644->18625 18650 411da6 18645->18650 18648 40ac21 18648->18625 18653 411dab 18650->18653 18652 411dc9 18652->18648 18656 4123c2 18652->18656 18653->18652 18655 411db6 Sleep 18653->18655 18662 411cfc EnterCriticalSection LeaveCriticalSection 18653->18662 18663 411cbc EnterCriticalSection LeaveCriticalSection 18653->18663 18655->18653 18664 416b21 18656->18664 18658 4123ce EnterCriticalSection 18659 412447 LeaveCriticalSection 18658->18659 18661 4123f6 18658->18661 18660 412455 ~_Task_impl 18659->18660 18660->18648 18661->18659 18662->18653 18663->18653 18664->18658 18665 40781a 18666 407821 18665->18666 18667 407826 18665->18667 18671 40dc31 18667->18671 18669 407841 18669->18666 18675 40d84e 18669->18675 18672 40dc54 18671->18672 18673 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18672->18673 18674 40dc70 18673->18674 18674->18669 18676 40d855 18675->18676 18677 40d859 18675->18677 18676->18666 18678 417414 _malloc 69 API calls 18677->18678 18678->18676 18679 401aba 18680 401ac7 18679->18680 18682 401ace 18679->18682 18683 40193f 18680->18683 18684 40194b __EH_prolog3 18683->18684 18691 401616 18684->18691 18686 40195f 18697 401549 18686->18697 18688 40196b 18703 4011ee 18688->18703 18690 401977 ~_Task_impl 18690->18682 18692 401622 __EH_prolog3 18691->18692 18693 408b5a ~_Task_impl 5 API calls 18692->18693 18694 401636 18693->18694 18695 408bc5 ~_Task_impl 5 API calls 18694->18695 18696 401641 ~_Task_impl 18695->18696 18696->18686 18698 401555 __EH_prolog3 18697->18698 18699 408b5a ~_Task_impl 5 API calls 18698->18699 18700 401569 18699->18700 18701 408bc5 ~_Task_impl 5 API calls 18700->18701 18702 401574 ~_Task_impl 18701->18702 18702->18688 18704 4011fa __EH_prolog3 18703->18704 18705 408bc5 ~_Task_impl 5 API calls 18704->18705 18706 40120e 18705->18706 18707 408bc5 ~_Task_impl 5 API calls 18706->18707 18708 40121a 18707->18708 18709 408bc5 ~_Task_impl 5 API calls 18708->18709 18710 401226 18709->18710 18711 408bc5 ~_Task_impl 5 API calls 18710->18711 18712 401231 ~_Task_impl 18711->18712 18712->18690 18713 4124ba 18716 412324 18713->18716 18715 4124d5 18722 416b21 18716->18722 18718 412330 EnterCriticalSection 18719 4123b1 LeaveCriticalSection 18718->18719 18721 412364 18718->18721 18720 4123bf ~_Task_impl 18719->18720 18720->18715 18721->18719 18722->18718 18723 4224fe 18724 40110f 70 API calls 18723->18724 18725 42250a 18724->18725 18728 417693 18725->18728 18731 417657 18728->18731 18730 4176a0 18732 417663 type_info::_Type_info_dtor 18731->18732 18739 41aa6a 18732->18739 18738 417684 type_info::_Type_info_dtor 18738->18730 18740 419ea7 __lock 69 API calls 18739->18740 18741 417668 18740->18741 18742 41756c 18741->18742 18743 41867f __decode_pointer 7 API calls 18742->18743 18744 417580 18743->18744 18745 41867f __decode_pointer 7 API calls 18744->18745 18746 417590 18745->18746 18757 417613 18746->18757 18765 41aea7 18746->18765 18748 418604 __encode_pointer 7 API calls 18750 417608 18748->18750 18749 4175ae 18751 4175c9 18749->18751 18752 4175d8 18749->18752 18761 4175fa 18749->18761 18754 418604 __encode_pointer 7 API calls 18750->18754 18778 41ae59 18751->18778 18753 4175d2 18752->18753 18752->18757 18753->18752 18756 41ae59 __realloc_crt 75 API calls 18753->18756 18758 4175ee 18753->18758 18754->18757 18759 4175e8 18756->18759 18762 41768d 18757->18762 18760 418604 __encode_pointer 7 API calls 18758->18760 18759->18757 18759->18758 18760->18761 18761->18748 18827 41aa73 18762->18827 18766 41aeb3 type_info::_Type_info_dtor 18765->18766 18767 41aee0 18766->18767 18768 41aec3 18766->18768 18770 41af21 HeapSize 18767->18770 18772 419ea7 __lock 69 API calls 18767->18772 18769 41ad48 __locking 69 API calls 18768->18769 18771 41aec8 18769->18771 18773 41aed8 type_info::_Type_info_dtor 18770->18773 18774 41b335 __locking 7 API calls 18771->18774 18775 41aef0 ___sbh_find_block 18772->18775 18773->18749 18774->18773 18783 41af41 18775->18783 18781 41ae62 18778->18781 18780 41aea1 18780->18753 18781->18780 18782 41ae82 Sleep 18781->18782 18787 41779f 18781->18787 18782->18781 18786 419dcd LeaveCriticalSection 18783->18786 18785 41af1c 18785->18770 18785->18773 18786->18785 18788 4177ab type_info::_Type_info_dtor 18787->18788 18789 4177c0 18788->18789 18790 4177b2 18788->18790 18792 4177d3 18789->18792 18793 4177c7 18789->18793 18791 417414 _malloc 69 API calls 18790->18791 18795 4177ba __dosmaperr type_info::_Type_info_dtor 18791->18795 18800 417945 18792->18800 18802 4177e0 ___sbh_resize_block ___sbh_find_block ___crtGetEnvironmentStringsA 18792->18802 18794 4174de type_info::_Type_info_dtor 69 API calls 18793->18794 18794->18795 18795->18781 18796 417978 18798 41ada0 __calloc_impl 7 API calls 18796->18798 18797 41794a HeapReAlloc 18797->18795 18797->18800 18801 41797e 18798->18801 18799 419ea7 __lock 69 API calls 18799->18802 18800->18796 18800->18797 18804 41799c 18800->18804 18805 41ada0 __calloc_impl 7 API calls 18800->18805 18807 417992 18800->18807 18803 41ad48 __locking 69 API calls 18801->18803 18802->18795 18802->18796 18802->18799 18811 41786b HeapAlloc 18802->18811 18812 4178c0 HeapReAlloc 18802->18812 18814 41a6b9 ___sbh_alloc_block 5 API calls 18802->18814 18815 41792b 18802->18815 18816 41ada0 __calloc_impl 7 API calls 18802->18816 18819 41790e 18802->18819 18822 419f0a __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 18802->18822 18823 4178e3 18802->18823 18803->18795 18804->18795 18806 41ad48 __locking 69 API calls 18804->18806 18805->18800 18808 4179a5 GetLastError 18806->18808 18810 41ad48 __locking 69 API calls 18807->18810 18808->18795 18821 417913 18810->18821 18811->18802 18812->18802 18813 417918 GetLastError 18813->18795 18814->18802 18815->18795 18817 41ad48 __locking 69 API calls 18815->18817 18816->18802 18818 417938 18817->18818 18818->18795 18818->18808 18820 41ad48 __locking 69 API calls 18819->18820 18820->18821 18821->18795 18821->18813 18822->18802 18826 419dcd LeaveCriticalSection 18823->18826 18825 4178ea 18825->18802 18826->18825 18830 419dcd LeaveCriticalSection 18827->18830 18829 417692 18829->18738 18830->18829 18831 41805f 18870 417b6c 18831->18870 18833 41806b GetStartupInfoA 18835 41808e 18833->18835 18871 41a99e HeapCreate 18835->18871 18837 4180de 18873 418abf GetModuleHandleW 18837->18873 18841 4180ef __RTC_Initialize 18907 41be1c 18841->18907 18842 418036 _fast_error_exit 69 API calls 18842->18841 18844 4180fd 18845 418109 GetCommandLineA 18844->18845 18846 41a9fe __amsg_exit 69 API calls 18844->18846 18922 41bce5 18845->18922 18848 418108 18846->18848 18848->18845 18852 41812e 18958 41b9b2 18852->18958 18853 41a9fe __amsg_exit 69 API calls 18853->18852 18856 41813f 18973 41aabd 18856->18973 18857 41a9fe __amsg_exit 69 API calls 18857->18856 18859 418146 18860 418151 18859->18860 18861 41a9fe __amsg_exit 69 API calls 18859->18861 18979 41b953 18860->18979 18861->18860 18866 418180 19268 41ac9a 18866->19268 18869 418185 type_info::_Type_info_dtor 18870->18833 18872 4180d2 18871->18872 18872->18837 19260 418036 18872->19260 18874 418ad3 18873->18874 18875 418ada 18873->18875 18876 41a9ce __crt_waiting_on_module_handle 2 API calls 18874->18876 18877 418c42 18875->18877 18878 418ae4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18875->18878 18880 418ad9 18876->18880 19282 41876b 18877->19282 18883 418b2d TlsAlloc 18878->18883 18880->18875 18882 4180e4 18882->18841 18882->18842 18883->18882 18884 418b7b TlsSetValue 18883->18884 18884->18882 18885 418b8c 18884->18885 19271 41acb8 18885->19271 18888 418604 __encode_pointer 7 API calls 18889 418b9c 18888->18889 18890 418604 __encode_pointer 7 API calls 18889->18890 18891 418bac 18890->18891 18892 418604 __encode_pointer 7 API calls 18891->18892 18893 418bbc 18892->18893 18894 418604 __encode_pointer 7 API calls 18893->18894 18895 418bcc 18894->18895 19278 419d2b 18895->19278 18898 41867f __decode_pointer 7 API calls 18899 418bed 18898->18899 18899->18877 18900 41ae0d __calloc_crt 69 API calls 18899->18900 18901 418c06 18900->18901 18901->18877 18902 41867f __decode_pointer 7 API calls 18901->18902 18903 418c20 18902->18903 18903->18877 18904 418c27 18903->18904 18905 4187a8 __mtinit 69 API calls 18904->18905 18906 418c2f GetCurrentThreadId 18905->18906 18906->18882 19296 417b6c 18907->19296 18909 41be28 GetStartupInfoA 18910 41ae0d __calloc_crt 69 API calls 18909->18910 18918 41be49 18910->18918 18911 41c067 type_info::_Type_info_dtor 18911->18844 18912 41bfe4 GetStdHandle 18917 41bfae 18912->18917 18913 41c049 SetHandleCount 18913->18911 18914 41ae0d __calloc_crt 69 API calls 18914->18918 18915 41bff6 GetFileType 18915->18917 18916 41bf31 18916->18911 18916->18917 18920 41bf5a GetFileType 18916->18920 18921 41d326 ___lock_fhandle InitializeCriticalSectionAndSpinCount 18916->18921 18917->18911 18917->18912 18917->18913 18917->18915 18919 41d326 ___lock_fhandle InitializeCriticalSectionAndSpinCount 18917->18919 18918->18911 18918->18914 18918->18916 18918->18917 18919->18917 18920->18916 18921->18916 18923 41bd22 18922->18923 18924 41bd03 GetEnvironmentStringsW 18922->18924 18926 41bd0b 18923->18926 18927 41bdbb 18923->18927 18925 41bd17 GetLastError 18924->18925 18924->18926 18925->18923 18929 41bd4d WideCharToMultiByte 18926->18929 18930 41bd3e GetEnvironmentStringsW 18926->18930 18928 41bdc4 GetEnvironmentStrings 18927->18928 18932 418119 18927->18932 18931 41bdd4 18928->18931 18928->18932 18934 41bd81 18929->18934 18935 41bdb0 FreeEnvironmentStringsW 18929->18935 18930->18929 18930->18932 18936 41adc8 __malloc_crt 69 API calls 18931->18936 18947 41bc2a 18932->18947 18937 41adc8 __malloc_crt 69 API calls 18934->18937 18935->18932 18938 41bdee 18936->18938 18939 41bd87 18937->18939 18940 41be01 ___crtGetEnvironmentStringsA 18938->18940 18941 41bdf5 FreeEnvironmentStringsA 18938->18941 18939->18935 18942 41bd8f WideCharToMultiByte 18939->18942 18945 41be0b FreeEnvironmentStringsA 18940->18945 18941->18932 18943 41bda1 18942->18943 18944 41bda9 18942->18944 18946 4174de type_info::_Type_info_dtor 69 API calls 18943->18946 18944->18935 18945->18932 18946->18944 18948 41bc44 GetModuleFileNameA 18947->18948 18949 41bc3f 18947->18949 18950 41bc6b 18948->18950 19303 41d093 18949->19303 19297 41ba90 18950->19297 18953 418123 18953->18852 18953->18853 18955 41adc8 __malloc_crt 69 API calls 18956 41bcad 18955->18956 18956->18953 18957 41ba90 _parse_cmdline 79 API calls 18956->18957 18957->18953 18959 41b9bb 18958->18959 18963 41b9c0 _strlen 18958->18963 18960 41d093 ___initmbctable 113 API calls 18959->18960 18960->18963 18961 418134 18961->18856 18961->18857 18962 41ae0d __calloc_crt 69 API calls 18968 41b9f5 _strlen 18962->18968 18963->18961 18963->18962 18964 41ba53 18965 4174de type_info::_Type_info_dtor 69 API calls 18964->18965 18965->18961 18966 41ae0d __calloc_crt 69 API calls 18966->18968 18967 41ba79 18969 4174de type_info::_Type_info_dtor 69 API calls 18967->18969 18968->18961 18968->18964 18968->18966 18968->18967 18970 41c152 _strcpy_s 69 API calls 18968->18970 18971 41ba3a 18968->18971 18969->18961 18970->18968 18971->18968 18972 41b20d __invoke_watson 10 API calls 18971->18972 18972->18971 18975 41aacb __IsNonwritableInCurrentImage 18973->18975 19714 41d386 18975->19714 18976 41aae9 __initterm_e 18977 417693 __cinit 76 API calls 18976->18977 18978 41ab08 __IsNonwritableInCurrentImage __initterm 18976->18978 18977->18978 18978->18859 18980 41b961 18979->18980 18982 41b966 18979->18982 18981 41d093 ___initmbctable 113 API calls 18980->18981 18981->18982 18983 418157 18982->18983 18984 41f0c9 _parse_cmdline 79 API calls 18982->18984 18985 413f63 GetVersionExW 18983->18985 18984->18982 18986 413fb2 18985->18986 18987 413fa9 18985->18987 19845 411936 18986->19845 18987->18986 18988 413fd5 CoInitialize 18987->18988 19718 413849 GetVersion 18988->19718 18991 413fe1 _memset 18993 413ff4 GetVersionExW 18991->18993 18992 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18994 413fce 18992->18994 18995 414025 18993->18995 18996 41400f 18993->18996 18994->18866 19257 41ac6e 18994->19257 18998 41403c 18995->18998 19721 413a48 18995->19721 18996->18995 18997 414017 18996->18997 19849 4138be 18997->19849 19001 40320a 70 API calls 18998->19001 19003 414047 19001->19003 19004 40320a 70 API calls 19003->19004 19005 414052 19004->19005 19006 40320a 70 API calls 19005->19006 19007 41405d 19006->19007 19008 40320a 70 API calls 19007->19008 19009 414068 GetCommandLineW 19008->19009 19010 401647 70 API calls 19009->19010 19011 41407a 19010->19011 19731 4088cf 19011->19731 19013 414094 19014 40c825 71 API calls 19013->19014 19015 4140ae 19014->19015 19016 408639 70 API calls 19015->19016 19017 4140b9 19016->19017 19018 40c825 71 API calls 19017->19018 19019 4140d3 19018->19019 19020 408639 70 API calls 19019->19020 19021 4140de 19020->19021 19022 40c825 71 API calls 19021->19022 19023 4140f8 19022->19023 19024 408639 70 API calls 19023->19024 19025 414103 19024->19025 19026 40c825 71 API calls 19025->19026 19027 41411d 19026->19027 19028 408639 70 API calls 19027->19028 19029 414128 19028->19029 19030 40c825 71 API calls 19029->19030 19031 414142 19030->19031 19032 408639 70 API calls 19031->19032 19033 41414d 19032->19033 19034 40c825 71 API calls 19033->19034 19035 414167 19034->19035 19036 408639 70 API calls 19035->19036 19037 414172 19036->19037 19038 40c825 71 API calls 19037->19038 19039 41418c 19038->19039 19040 408639 70 API calls 19039->19040 19041 414197 19040->19041 19042 40c825 71 API calls 19041->19042 19043 4141b1 19042->19043 19044 408639 70 API calls 19043->19044 19045 4141bc 19044->19045 19046 40c825 71 API calls 19045->19046 19047 4141d6 19046->19047 19048 408639 70 API calls 19047->19048 19049 4141e1 19048->19049 19050 408bd0 70 API calls 19049->19050 19051 4141f8 19050->19051 19052 401647 70 API calls 19051->19052 19053 414210 19052->19053 19054 40320a 70 API calls 19053->19054 19056 41421b _wcslen 19054->19056 19141 413fbe 19141->18992 20650 41ab42 19257->20650 19259 41ac7f 19259->18866 19261 418044 19260->19261 19262 418049 19260->19262 19263 4185cb __FF_MSGBANNER 69 API calls 19261->19263 19264 418420 __NMSG_WRITE 69 API calls 19262->19264 19263->19262 19265 418051 19264->19265 19266 41aa52 _malloc 3 API calls 19265->19266 19267 41805b 19266->19267 19267->18837 19269 41ab42 _doexit 69 API calls 19268->19269 19270 41aca5 19269->19270 19270->18869 19272 418676 _raise 7 API calls 19271->19272 19273 41acc0 __init_pointers __initp_misc_winsig 19272->19273 19293 419998 19273->19293 19276 418604 __encode_pointer 7 API calls 19277 418b91 19276->19277 19277->18888 19281 419d36 19278->19281 19279 41d326 ___lock_fhandle InitializeCriticalSectionAndSpinCount 19279->19281 19280 418bd9 19280->18877 19280->18898 19281->19279 19281->19280 19283 418775 19282->19283 19284 418781 19282->19284 19286 41867f __decode_pointer 7 API calls 19283->19286 19285 418795 TlsFree 19284->19285 19287 4187a3 19284->19287 19285->19287 19286->19284 19288 419d92 DeleteCriticalSection 19287->19288 19289 419daa 19287->19289 19290 4174de type_info::_Type_info_dtor 69 API calls 19288->19290 19291 419dca 19289->19291 19292 419dbc DeleteCriticalSection 19289->19292 19290->19287 19291->18882 19292->19289 19294 418604 __encode_pointer 7 API calls 19293->19294 19295 4199a2 19294->19295 19295->19276 19296->18909 19299 41baaf 19297->19299 19301 41bb1c 19299->19301 19307 41f0c9 19299->19307 19300 41bc1a 19300->18953 19300->18955 19301->19300 19302 41f0c9 79 API calls _parse_cmdline 19301->19302 19302->19301 19304 41d09c 19303->19304 19305 41d0a3 19303->19305 19529 41cef9 19304->19529 19305->18948 19310 41f076 19307->19310 19313 41b6f9 19310->19313 19314 41b70c 19313->19314 19320 41b759 19313->19320 19321 418908 19314->19321 19317 41b739 19317->19320 19341 41cbf4 19317->19341 19320->19299 19322 41888f __getptd_noexit 69 API calls 19321->19322 19323 418910 19322->19323 19324 41891d 19323->19324 19325 41a9fe __amsg_exit 69 API calls 19323->19325 19324->19317 19326 41c958 19324->19326 19325->19324 19327 41c964 type_info::_Type_info_dtor 19326->19327 19328 418908 __getptd 69 API calls 19327->19328 19329 41c969 19328->19329 19330 41c997 19329->19330 19332 41c97b 19329->19332 19331 419ea7 __lock 69 API calls 19330->19331 19333 41c99e 19331->19333 19334 418908 __getptd 69 API calls 19332->19334 19357 41c91a 19333->19357 19337 41c980 19334->19337 19339 41c98e type_info::_Type_info_dtor 19337->19339 19340 41a9fe __amsg_exit 69 API calls 19337->19340 19339->19317 19340->19339 19342 41cc00 type_info::_Type_info_dtor 19341->19342 19343 418908 __getptd 69 API calls 19342->19343 19344 41cc05 19343->19344 19345 419ea7 __lock 69 API calls 19344->19345 19346 41cc17 19344->19346 19347 41cc35 19345->19347 19349 41cc25 type_info::_Type_info_dtor 19346->19349 19353 41a9fe __amsg_exit 69 API calls 19346->19353 19348 41cc7e 19347->19348 19350 41cc66 InterlockedIncrement 19347->19350 19351 41cc4c InterlockedDecrement 19347->19351 19525 41cc8f 19348->19525 19349->19320 19350->19348 19351->19350 19354 41cc57 19351->19354 19353->19349 19354->19350 19355 4174de type_info::_Type_info_dtor 69 API calls 19354->19355 19356 41cc65 19355->19356 19356->19350 19358 41c950 19357->19358 19359 41c91e 19357->19359 19365 41c9c2 19358->19365 19359->19358 19360 41c7f2 ___addlocaleref 8 API calls 19359->19360 19361 41c931 19360->19361 19361->19358 19368 41c881 19361->19368 19524 419dcd LeaveCriticalSection 19365->19524 19367 41c9c9 19367->19337 19369 41c892 InterlockedDecrement 19368->19369 19370 41c915 19368->19370 19371 41c8a7 InterlockedDecrement 19369->19371 19372 41c8aa 19369->19372 19370->19358 19382 41c6a9 19370->19382 19371->19372 19373 41c8b4 InterlockedDecrement 19372->19373 19374 41c8b7 19372->19374 19373->19374 19375 41c8c1 InterlockedDecrement 19374->19375 19376 41c8c4 19374->19376 19375->19376 19377 41c8ce InterlockedDecrement 19376->19377 19379 41c8d1 19376->19379 19377->19379 19378 41c8ea InterlockedDecrement 19378->19379 19379->19378 19380 41c8fa InterlockedDecrement 19379->19380 19381 41c905 InterlockedDecrement 19379->19381 19380->19379 19381->19370 19383 41c6c0 19382->19383 19384 41c72d 19382->19384 19383->19384 19388 41c6f4 19383->19388 19396 4174de type_info::_Type_info_dtor 69 API calls 19383->19396 19385 41c77a 19384->19385 19386 4174de type_info::_Type_info_dtor 69 API calls 19384->19386 19400 41c7a1 19385->19400 19436 41f0f7 19385->19436 19387 41c74e 19386->19387 19390 4174de type_info::_Type_info_dtor 69 API calls 19387->19390 19391 41c715 19388->19391 19399 4174de type_info::_Type_info_dtor 69 API calls 19388->19399 19393 41c761 19390->19393 19394 4174de type_info::_Type_info_dtor 69 API calls 19391->19394 19398 4174de type_info::_Type_info_dtor 69 API calls 19393->19398 19401 41c722 19394->19401 19395 41c7e6 19402 4174de type_info::_Type_info_dtor 69 API calls 19395->19402 19403 41c6e9 19396->19403 19397 4174de type_info::_Type_info_dtor 69 API calls 19397->19400 19404 41c76f 19398->19404 19405 41c70a 19399->19405 19400->19395 19406 4174de 69 API calls type_info::_Type_info_dtor 19400->19406 19407 4174de type_info::_Type_info_dtor 69 API calls 19401->19407 19408 41c7ec 19402->19408 19412 41f2d1 19403->19412 19410 4174de type_info::_Type_info_dtor 69 API calls 19404->19410 19428 41f28c 19405->19428 19406->19400 19407->19384 19408->19358 19410->19385 19413 41f35b 19412->19413 19414 41f2de 19412->19414 19413->19388 19415 41f2ef 19414->19415 19416 4174de type_info::_Type_info_dtor 69 API calls 19414->19416 19417 41f301 19415->19417 19418 4174de type_info::_Type_info_dtor 69 API calls 19415->19418 19416->19415 19419 41f313 19417->19419 19420 4174de type_info::_Type_info_dtor 69 API calls 19417->19420 19418->19417 19421 41f325 19419->19421 19422 4174de type_info::_Type_info_dtor 69 API calls 19419->19422 19420->19419 19423 41f337 19421->19423 19424 4174de type_info::_Type_info_dtor 69 API calls 19421->19424 19422->19421 19425 41f349 19423->19425 19426 4174de type_info::_Type_info_dtor 69 API calls 19423->19426 19424->19423 19425->19413 19427 4174de type_info::_Type_info_dtor 69 API calls 19425->19427 19426->19425 19427->19413 19429 41f299 19428->19429 19435 41f2cd 19428->19435 19430 4174de type_info::_Type_info_dtor 69 API calls 19429->19430 19431 41f2a9 19429->19431 19430->19431 19432 41f2bb 19431->19432 19433 4174de type_info::_Type_info_dtor 69 API calls 19431->19433 19434 4174de type_info::_Type_info_dtor 69 API calls 19432->19434 19432->19435 19433->19432 19434->19435 19435->19391 19437 41f108 19436->19437 19523 41c79a 19436->19523 19438 4174de type_info::_Type_info_dtor 69 API calls 19437->19438 19439 41f110 19438->19439 19440 4174de type_info::_Type_info_dtor 69 API calls 19439->19440 19441 41f118 19440->19441 19442 4174de type_info::_Type_info_dtor 69 API calls 19441->19442 19443 41f120 19442->19443 19444 4174de type_info::_Type_info_dtor 69 API calls 19443->19444 19445 41f128 19444->19445 19446 4174de type_info::_Type_info_dtor 69 API calls 19445->19446 19447 41f130 19446->19447 19448 4174de type_info::_Type_info_dtor 69 API calls 19447->19448 19449 41f138 19448->19449 19450 4174de type_info::_Type_info_dtor 69 API calls 19449->19450 19451 41f13f 19450->19451 19452 4174de type_info::_Type_info_dtor 69 API calls 19451->19452 19453 41f147 19452->19453 19454 4174de type_info::_Type_info_dtor 69 API calls 19453->19454 19455 41f14f 19454->19455 19456 4174de type_info::_Type_info_dtor 69 API calls 19455->19456 19457 41f157 19456->19457 19458 4174de type_info::_Type_info_dtor 69 API calls 19457->19458 19459 41f15f 19458->19459 19460 4174de type_info::_Type_info_dtor 69 API calls 19459->19460 19461 41f167 19460->19461 19462 4174de type_info::_Type_info_dtor 69 API calls 19461->19462 19463 41f16f 19462->19463 19464 4174de type_info::_Type_info_dtor 69 API calls 19463->19464 19465 41f177 19464->19465 19466 4174de type_info::_Type_info_dtor 69 API calls 19465->19466 19467 41f17f 19466->19467 19468 4174de type_info::_Type_info_dtor 69 API calls 19467->19468 19469 41f187 19468->19469 19470 4174de type_info::_Type_info_dtor 69 API calls 19469->19470 19471 41f192 19470->19471 19472 4174de type_info::_Type_info_dtor 69 API calls 19471->19472 19473 41f19a 19472->19473 19474 4174de type_info::_Type_info_dtor 69 API calls 19473->19474 19475 41f1a2 19474->19475 19476 4174de type_info::_Type_info_dtor 69 API calls 19475->19476 19477 41f1aa 19476->19477 19478 4174de type_info::_Type_info_dtor 69 API calls 19477->19478 19479 41f1b2 19478->19479 19480 4174de type_info::_Type_info_dtor 69 API calls 19479->19480 19481 41f1ba 19480->19481 19482 4174de type_info::_Type_info_dtor 69 API calls 19481->19482 19483 41f1c2 19482->19483 19484 4174de type_info::_Type_info_dtor 69 API calls 19483->19484 19485 41f1ca 19484->19485 19486 4174de type_info::_Type_info_dtor 69 API calls 19485->19486 19487 41f1d2 19486->19487 19488 4174de type_info::_Type_info_dtor 69 API calls 19487->19488 19489 41f1da 19488->19489 19490 4174de type_info::_Type_info_dtor 69 API calls 19489->19490 19491 41f1e2 19490->19491 19492 4174de type_info::_Type_info_dtor 69 API calls 19491->19492 19493 41f1ea 19492->19493 19494 4174de type_info::_Type_info_dtor 69 API calls 19493->19494 19495 41f1f2 19494->19495 19496 4174de type_info::_Type_info_dtor 69 API calls 19495->19496 19523->19397 19524->19367 19528 419dcd LeaveCriticalSection 19525->19528 19527 41cc96 19527->19346 19528->19527 19530 41cf05 type_info::_Type_info_dtor 19529->19530 19531 418908 __getptd 69 API calls 19530->19531 19532 41cf0e 19531->19532 19533 41cbf4 _LocaleUpdate::_LocaleUpdate 71 API calls 19532->19533 19534 41cf18 19533->19534 19560 41cc98 19534->19560 19537 41adc8 __malloc_crt 69 API calls 19538 41cf39 19537->19538 19539 41d058 type_info::_Type_info_dtor 19538->19539 19567 41cd14 19538->19567 19539->19305 19542 41d065 19542->19539 19547 41d078 19542->19547 19548 4174de type_info::_Type_info_dtor 69 API calls 19542->19548 19543 41cf69 InterlockedDecrement 19544 41cf79 19543->19544 19545 41cf8a InterlockedIncrement 19543->19545 19544->19545 19550 4174de type_info::_Type_info_dtor 69 API calls 19544->19550 19545->19539 19546 41cfa0 19545->19546 19546->19539 19552 419ea7 __lock 69 API calls 19546->19552 19549 41ad48 __locking 69 API calls 19547->19549 19548->19547 19549->19539 19551 41cf89 19550->19551 19551->19545 19554 41cfb4 InterlockedDecrement 19552->19554 19555 41d030 19554->19555 19556 41d043 InterlockedIncrement 19554->19556 19555->19556 19558 4174de type_info::_Type_info_dtor 69 API calls 19555->19558 19577 41d05a 19556->19577 19559 41d042 19558->19559 19559->19556 19561 41b6f9 _LocaleUpdate::_LocaleUpdate 79 API calls 19560->19561 19562 41ccac 19561->19562 19563 41ccd5 19562->19563 19564 41ccb7 GetOEMCP 19562->19564 19565 41ccda GetACP 19563->19565 19566 41ccc7 19563->19566 19564->19566 19565->19566 19566->19537 19566->19539 19568 41cc98 getSystemCP 81 API calls 19567->19568 19569 41cd34 19568->19569 19570 41cd3f setSBCS 19569->19570 19573 41cda8 _memset __setmbcp_nolock 19569->19573 19574 41cd83 IsValidCodePage 19569->19574 19571 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19570->19571 19572 41cef7 19571->19572 19572->19542 19572->19543 19580 41ca61 GetCPInfo 19573->19580 19574->19570 19575 41cd95 GetCPInfo 19574->19575 19575->19570 19575->19573 19713 419dcd LeaveCriticalSection 19577->19713 19579 41d061 19579->19539 19581 41cb47 19580->19581 19583 41ca95 _memset 19580->19583 19585 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19581->19585 19590 41f560 19583->19590 19587 41cbf2 19585->19587 19587->19573 19589 41f995 ___crtLCMapStringA 104 API calls 19589->19581 19591 41b6f9 _LocaleUpdate::_LocaleUpdate 79 API calls 19590->19591 19592 41f573 19591->19592 19600 41f3a6 19592->19600 19595 41f995 19596 41b6f9 _LocaleUpdate::_LocaleUpdate 79 API calls 19595->19596 19597 41f9a8 19596->19597 19666 41f5f0 19597->19666 19601 41f3f2 19600->19601 19602 41f3c7 GetStringTypeW 19600->19602 19603 41f4d9 19601->19603 19605 41f3df 19601->19605 19604 41f3e7 GetLastError 19602->19604 19602->19605 19628 4204e7 GetLocaleInfoA 19603->19628 19604->19601 19606 41f42b MultiByteToWideChar 19605->19606 19608 41f4d3 19605->19608 19606->19608 19613 41f458 19606->19613 19609 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19608->19609 19611 41cb02 19609->19611 19611->19595 19612 41f52a GetStringTypeA 19612->19608 19617 41f545 19612->19617 19614 417414 _malloc 69 API calls 19613->19614 19618 41f46d _memset __crtGetStringTypeA_stat 19613->19618 19614->19618 19616 41f4a6 MultiByteToWideChar 19620 41f4cd 19616->19620 19621 41f4bc GetStringTypeW 19616->19621 19622 4174de type_info::_Type_info_dtor 69 API calls 19617->19622 19618->19608 19618->19616 19624 41d0b1 19620->19624 19621->19620 19622->19608 19625 41d0bd 19624->19625 19626 41d0ce 19624->19626 19625->19626 19627 4174de type_info::_Type_info_dtor 69 API calls 19625->19627 19626->19608 19627->19626 19629 420515 19628->19629 19630 42051a 19628->19630 19632 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19629->19632 19659 41f0e1 19630->19659 19633 41f4fd 19632->19633 19633->19608 19633->19612 19634 420530 19633->19634 19635 420570 GetCPInfo 19634->19635 19636 4205fa 19634->19636 19637 420587 19635->19637 19638 4205e5 MultiByteToWideChar 19635->19638 19639 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19636->19639 19637->19638 19640 42058d GetCPInfo 19637->19640 19638->19636 19643 4205a0 _strlen 19638->19643 19641 41f51e 19639->19641 19640->19638 19642 42059a 19640->19642 19641->19608 19641->19612 19642->19638 19642->19643 19644 417414 _malloc 69 API calls 19643->19644 19648 4205d2 _memset __crtGetStringTypeA_stat 19643->19648 19644->19648 19645 42062f MultiByteToWideChar 19646 420666 19645->19646 19647 420647 19645->19647 19649 41d0b1 __freea 69 API calls 19646->19649 19650 42066b 19647->19650 19651 42064e WideCharToMultiByte 19647->19651 19648->19636 19648->19645 19649->19636 19652 420676 WideCharToMultiByte 19650->19652 19653 42068a 19650->19653 19651->19646 19652->19646 19652->19653 19654 41ae0d __calloc_crt 69 API calls 19653->19654 19655 420692 19654->19655 19655->19646 19656 42069b WideCharToMultiByte 19655->19656 19656->19646 19657 4206ad 19656->19657 19658 4174de type_info::_Type_info_dtor 69 API calls 19657->19658 19658->19646 19662 4204bc 19659->19662 19663 4204d5 19662->19663 19664 42028d strtoxl 93 API calls 19663->19664 19665 41f0f2 19664->19665 19665->19629 19667 41f611 LCMapStringW 19666->19667 19671 41f62c 19666->19671 19668 41f634 GetLastError 19667->19668 19667->19671 19668->19671 19669 41f82a 19673 4204e7 ___ansicp 93 API calls 19669->19673 19670 41f686 19672 41f69f MultiByteToWideChar 19670->19672 19689 41f821 19670->19689 19671->19669 19671->19670 19681 41f6cc 19672->19681 19672->19689 19675 41f852 19673->19675 19674 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19676 41cb22 19674->19676 19677 41f946 LCMapStringA 19675->19677 19678 41f86b 19675->19678 19675->19689 19676->19589 19682 41f8a2 19677->19682 19679 420530 ___convertcp 76 API calls 19678->19679 19685 41f87d 19679->19685 19680 41f71d MultiByteToWideChar 19686 41f736 LCMapStringW 19680->19686 19687 41f818 19680->19687 19684 417414 _malloc 69 API calls 19681->19684 19693 41f6e5 __crtGetStringTypeA_stat 19681->19693 19683 41f96d 19682->19683 19688 4174de type_info::_Type_info_dtor 69 API calls 19682->19688 19683->19689 19695 4174de type_info::_Type_info_dtor 69 API calls 19683->19695 19684->19693 19685->19689 19690 41f887 LCMapStringA 19685->19690 19686->19687 19692 41f757 19686->19692 19691 41d0b1 __freea 69 API calls 19687->19691 19688->19683 19689->19674 19690->19682 19698 41f8a9 19690->19698 19691->19689 19694 41f760 19692->19694 19697 41f789 19692->19697 19693->19680 19693->19689 19694->19687 19696 41f772 LCMapStringW 19694->19696 19695->19689 19696->19687 19700 41f7a4 __crtGetStringTypeA_stat 19697->19700 19702 417414 _malloc 69 API calls 19697->19702 19701 41f8ba _memset __crtGetStringTypeA_stat 19698->19701 19703 417414 _malloc 69 API calls 19698->19703 19699 41f7d8 LCMapStringW 19704 41f7f0 WideCharToMultiByte 19699->19704 19705 41f812 19699->19705 19700->19687 19700->19699 19701->19682 19707 41f8f8 LCMapStringA 19701->19707 19702->19700 19703->19701 19704->19705 19706 41d0b1 __freea 69 API calls 19705->19706 19706->19687 19709 41f914 19707->19709 19710 41f918 19707->19710 19712 41d0b1 __freea 69 API calls 19709->19712 19711 420530 ___convertcp 76 API calls 19710->19711 19711->19709 19712->19682 19713->19579 19715 41d38c 19714->19715 19716 418604 __encode_pointer 7 API calls 19715->19716 19717 41d3a4 19715->19717 19716->19715 19717->18976 19719 41387f 19718->19719 19720 41385c CoCreateInstance 19718->19720 19719->18991 19720->19719 19722 417d60 _memset 19721->19722 19723 413a7d GetModuleFileNameW 19722->19723 19724 413aa7 _memset 19723->19724 19725 417f66 69 API calls 19724->19725 19726 413abe _wcsrchr 19725->19726 19917 417ecb 19726->19917 19729 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19730 413b34 19729->19730 19730->18998 19735 4088db __EH_prolog3 19731->19735 19732 408935 19734 408826 70 API calls 19732->19734 19733 408670 70 API calls 19733->19735 19736 408944 19734->19736 19735->19732 19735->19733 19738 408933 ~_Task_impl 19735->19738 19737 408639 70 API calls 19736->19737 19737->19738 19738->19013 19846 40c825 71 API calls 19845->19846 19847 411947 MessageBoxW 19846->19847 19848 411963 19847->19848 19848->19141 19850 4138d0 _memset __write_nolock 19849->19850 19851 4138f1 GetModuleFileNameW RegCreateKeyExW RegSetValueExW RegCloseKey 19850->19851 19852 416b12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19851->19852 19853 413956 19852->19853 19853->18995 19918 417ee3 19917->19918 19920 417edc 19917->19920 19919 41ad48 __locking 69 API calls 19918->19919 19925 417ee8 19919->19925 19920->19918 19922 417f1f 19920->19922 19921 41b335 __locking 7 API calls 19923 413ad9 RegCreateKeyExW RegSetValueExW RegCloseKey 19921->19923 19922->19923 19924 41ad48 __locking 69 API calls 19922->19924 19923->19729 19924->19925 19925->19921 20651 41ab4e type_info::_Type_info_dtor 20650->20651 20652 419ea7 __lock 69 API calls 20651->20652 20653 41ab55 20652->20653 20655 41867f __decode_pointer 7 API calls 20653->20655 20656 41ac0e __initterm 20653->20656 20657 41ab8c 20655->20657 20667 41ac59 20656->20667 20657->20656 20661 41867f __decode_pointer 7 API calls 20657->20661 20659 41ac56 type_info::_Type_info_dtor 20659->19259 20666 41aba1 20661->20666 20662 41ac4d 20663 41aa52 _malloc 3 API calls 20662->20663 20663->20659 20664 418676 7 API calls _raise 20664->20666 20665 41867f 7 API calls __decode_pointer 20665->20666 20666->20656 20666->20664 20666->20665 20668 41ac3a 20667->20668 20669 41ac5f 20667->20669 20668->20659 20671 419dcd LeaveCriticalSection 20668->20671 20672 419dcd LeaveCriticalSection 20669->20672 20671->20662 20672->20668

                                                            Executed Functions

                                                            Function 00413F63, Relevance: 72.8, APIs: 21, Strings: 20, Instructions: 1027windowprocesssynchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 413f63-413fa7 GetVersionExW 1 413fb2-413fb9 call 411936 0->1 2 413fa9-413fb0 0->2 5 413fbe-413fc0 1->5 2->1 3 413fd5-41400d CoInitialize call 413849 call 417d60 GetVersionExW 2->3 13 414035 3->13 14 41400f-414015 3->14 7 413fc1-413fd2 call 416b12 5->7 17 414037 call 413a48 13->17 18 41403c-414238 call 40320a * 4 GetCommandLineW call 401647 call 4088cf call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 408bd0 call 401647 call 40320a call 417fd5 13->18 15 414025-41402c 14->15 16 414017-414023 call 4138be 14->16 15->17 20 41402e 15->20 16->13 16->15 17->18 99 414243-41425a call 417fd5 18->99 100 41423a-414241 18->100 20->13 99->100 106 41425c-414273 call 417fd5 99->106 101 41428e-41429a call 417dda 100->101 107 4142bd-4142c3 101->107 108 41429c-4142a9 101->108 106->101 117 414275-41428c call 417fd5 106->117 112 4142c5-4142ea call 417f66 call 4090ca 107->112 113 4142ef-414303 call 417fd5 107->113 110 4142b2 108->110 111 4142ab-4142b0 108->111 115 4142b7-4142b8 call 413c44 110->115 111->115 112->113 124 414305-414319 call 417fd5 113->124 125 41434d 113->125 115->107 117->101 117->107 124->125 131 41431b-41432f call 417fd5 124->131 128 414354-4143ce call 40320a call 409101 call 40898e call 408968 call 401647 call 408730 call 4089e5 125->128 150 4143d0-414411 call 401647 call 408730 call 4089e5 128->150 151 414413 128->151 131->125 138 414331-41434b call 417fd5 131->138 138->125 138->128 150->151 152 41441a-414421 150->152 151->152 154 414423-414435 call 408bfb 152->154 155 414436-41443d 152->155 154->155 158 414452-414459 155->158 159 41443f-414451 call 408bfb 155->159 163 41445b-41446d call 408bfb 158->163 164 41446e-414475 158->164 159->158 163->164 168 414483-414489 164->168 169 414477-414482 call 408bfb 164->169 173 4144d4-4144fd call 408c69 call 413ce0 168->173 174 41448b-4144cf call 408826 call 408639 call 408bfb call 40898e call 408968 168->174 169->168 185 414573-4145a1 call 401647 call 40320a 173->185 186 4144ff-414505 173->186 174->173 203 414915-414939 call 40320a call 4113e5 185->203 204 4145a7-4145e2 call 408e31 185->204 188 414513-41456e call 408bfb * 8 186->188 189 414507-41450e call 411936 186->189 188->5 189->188 221 414962-41496c call 408bd0 203->221 222 41493b-414941 203->222 212 414682-414739 call 401647 call 408df4 call 408bfb call 401647 call 408df4 call 408bfb call 401647 call 408df4 call 408bfb call 4089e5 204->212 213 4145e8-4145ee 204->213 312 414741-414774 call 401647 call 408dbe call 408bfb 212->312 313 41473b 212->313 218 4145f0-4145f7 call 411936 213->218 219 4145fc-41467d call 413b6d call 408bfb * 10 213->219 218->219 219->7 241 414979 221->241 242 41496e-414977 call 413ea3 221->242 226 414943-41494a call 411936 222->226 227 41494f-41495c call 413a1f 222->227 226->227 227->221 248 41497b-414990 call 40222c call 4118a7 241->248 242->248 266 414992-414998 248->266 267 4149b8-414a16 call 404082 call 40320a call 4135e5 248->267 270 4149a6-4149ae 266->270 271 41499a-4149a1 call 411936 266->271 292 414afc-414b23 call 408bfb call 413e7b SetCurrentDirectoryW 267->292 293 414a1c-414a22 267->293 270->227 276 4149b0-4149b6 270->276 271->270 276->227 321 414b35-414b3b 292->321 322 414b25-414b33 SetCurrentDirectoryW 292->322 297 414a28-414a2b 293->297 298 414adf 293->298 302 414a35-414a5b call 40c825 call 408639 call 408bfb 297->302 303 414a2d-414a33 297->303 305 414ae5-414af6 call 408bfb * 2 298->305 308 414a60-414a66 302->308 303->302 303->308 305->292 308->298 317 414a68-414a77 308->317 356 414776-414789 call 408639 312->356 357 41478e-414794 312->357 313->312 325 414a90-414ace call 40c825 call 41397a MessageBoxW call 413802 317->325 326 414a79-414a8e call 40c825 MessageBoxW 317->326 330 414b41-414b85 call 404082 321->330 331 414c35-414c3b 321->331 322->305 342 414ad3-414ade call 408bfb 325->342 326->342 353 414b87-414b94 call 408fde 330->353 354 414b99-414beb call 404082 ShellExecuteExW 330->354 340 414c79-414c98 call 40320a call 410d94 331->340 341 414c3d-414c5a call 4090ca call 409421 331->341 375 414cd5-414ce9 call 417fd5 340->375 376 414c9a-414cd4 call 40320a call 410d94 call 408639 call 408bfb 340->376 341->340 372 414c5c-414c62 341->372 342->298 353->354 370 414c19-414c30 call 408bfb 354->370 371 414bed-414bf3 354->371 356->357 366 414796-41479c 357->366 367 4147df-414910 call 401647 call 408df4 call 408639 call 408bfb * 2 call 401647 call 408df4 call 408639 call 408bfb * 2 call 401647 call 408df4 call 4096a4 call 408639 call 408bfb * 6 call 413b6d 357->367 366->367 374 41479e-4147b2 MessageBoxW 366->374 367->203 398 414f32-414f3b call 408bfb 370->398 377 414c01-414c14 call 408bfb * 2 371->377 378 414bf5-414bfc call 411936 371->378 372->322 379 414c68-414c74 call 411936 372->379 374->367 383 4147b4-4147d8 call 408bfb * 3 374->383 396 414ceb-414d5a call 408639 call 4099df call 401647 * 2 call 40c8c5 call 408bfb * 2 375->396 397 414d5c-414d62 375->397 376->375 377->322 378->377 379->322 383->367 402 414d70-414d76 396->402 397->402 403 414d64-414d6b call 4099df 397->403 422 414fa3-414fcb SetCurrentDirectoryW call 408bfb * 2 398->422 423 414f3d-414f89 WaitForSingleObject GetExitCodeProcess FindCloseChangeNotification SetCurrentDirectoryW call 408bfb * 2 398->423 413 414d97-414ee9 call 4096a4 call 401647 * 3 call 4096a4 * 5 call 408bfb * 8 CreateProcessW 402->413 414 414d78-414d92 call 408670 call 408fde 402->414 403->402 524 414eeb-414ef1 413->524 525 414f0f-414f2c CloseHandle call 408bfb 413->525 414->413 454 414fd3-414fde call 413a1f 422->454 455 414fcd-414fcf 422->455 451 414f91-414f97 call 413a1f 423->451 452 414f8b-414f8d 423->452 467 414f9c 451->467 452->451 455->454 467->422 527 414ef3-414ef4 call 4119f6 524->527 528 414ef9-414f04 call 408bfb 524->528 525->398 527->528 528->525
                                                            C-Code - Quality: 71%
                                                            			E00413F63(void* __ecx, char* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t361;
				void* _t368;
				intOrPtr _t370;
				intOrPtr _t422;
				signed int _t428;
				signed int _t429;
				signed int _t439;
				signed int _t442;
				signed int _t447;
				signed int _t449;
				signed int _t461;
				signed int _t464;
				signed int _t465;
				void* _t470;
				signed int _t496;
				signed int _t503;
				signed int _t523;
				signed int _t531;
				signed int _t558;
				WCHAR** _t579;
				signed int _t592;
				signed int _t611;
				signed int _t615;
				signed int _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				void* _t694;
				void* _t695;
				void* _t703;
				void* _t705;
				void* _t707;
				void* _t709;
				void* _t711;
				void* _t713;
				void* _t715;
				void* _t717;
				void* _t719;
				void* _t834;
				signed int _t835;
				void* _t839;
				void* _t842;
				void* _t844;
				signed int _t847;
				void* _t849;
				void* _t850;
				char** _t852;

				_t831 = __edx;
				_t695 = __ecx;
				_t847 = _t849 - 0x68;
				_t850 = _t849 - 0x318;
				_t361 =  *0x42d330; // 0x41c6c370
				 *(_t847 + 0x64) = _t361 ^ _t847;
				 *(_t847 - 0xb8) = 0;
				_t833 = GetVersionExW;
				 *0x43063c =  *((intOrPtr*)(_t847 + 0x70));
				 *(_t847 - 0xb0) = 0x114;
				if(GetVersionExW(_t847 - 0xb0) == 0 ||  *((intOrPtr*)(_t847 - 0xa0)) != 2) {
					E00411936(0, _t695, _t833, 0x114, 0,  *0x430680);
					L3:
					_t368 = 1;
					goto L4;
				} else {
					__imp__CoInitialize(0); // executed
					_t370 = E00413849(); // executed
					 *0x430640 = _t370;
					E00417D60(GetVersionExW, _t847 - 0xb0, 0, 0x114);
					_t852 = _t850 + 0xc;
					 *(_t847 - 0xb0) = 0x114;
					GetVersionExW(_t847 - 0xb0);
					__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
					if(__eflags != 0) {
						L10:
						if(__eflags <= 0) {
							L12:
							E0040320A(_t847 - 0x1e4);
							E0040320A(_t847 - 0xdc);
							E0040320A(_t847 - 0x1a8);
							E0040320A(_t847 - 0x19c);
							E00401647(_t847 - 0xd0, _t847, GetCommandLineW());
							_push(_t847 - 0xdc);
							_push(_t847 - 0x1e4);
							_push(_t847 - 0xd0);
							E004088CF(0, _t833, 0x114, __eflags);
							_push( *(_t847 - 0xd0));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t703);
							E00408639(0x430644, _t847, E0040C825(_t703, _t847 - 0xc4, 0x11));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t705);
							E00408639(0x430650, _t847, E0040C825(_t705, _t847 - 0xc4, 0x12));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t707);
							E00408639(0x43065c, _t847, E0040C825(_t707, _t847 - 0xc4, 0x16));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t709);
							E00408639(0x430668, _t847, E0040C825(_t709, _t847 - 0xc4, 0x17));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t711);
							E00408639(0x430674, _t847, E0040C825(_t711, _t847 - 0xc4, 0xf));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t713);
							E00408639(0x430698, _t847, E0040C825(_t713, _t847 - 0xc4, 0xc));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t715);
							E00408639(0x4306a4, _t847, E0040C825(_t715, _t847 - 0xc4, 0x18));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t717);
							E00408639(0x430680, _t847, E0040C825(_t717, _t847 - 0xc4, 0x10));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t719);
							E00408639(0x43068c, _t847, E0040C825(_t719, _t847 - 0xc4, 0x10));
							L00408BFB(0, _t833, 0x114, __eflags);
							 *_t852 = 0x2000; // executed
							_t422 = E00408BD0(0, _t833, __eflags,  *((intOrPtr*)(_t847 - 0xc4))); // executed
							 *((intOrPtr*)(_t847 - 0xe0)) = _t422;
							 *_t852 = 0x423a68;
							E00401647(_t847 - 0x174, _t847);
							E0040320A(_t847 - 0x180);
							_t840 = L"\"-k=";
							 *(_t847 - 0xb1) = 0;
							_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"\"-k=");
							__eflags = _t835;
							if(_t835 == 0) {
								_t840 = L"\"/k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"\"/k=");
								__eflags = _t835;
								if(_t835 != 0) {
									goto L13;
								}
								_t840 = L"-k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-k=");
								__eflags = _t835;
								if(_t835 != 0) {
									L17:
									_t428 = _t835 + E00417DDA(_t840) * 2;
									__eflags = _t428;
									if(_t428 != 0) {
										_push(_t847 - 0x174);
										__eflags =  *(_t847 - 0xb1);
										if(__eflags == 0) {
											_push(L" \t\n");
										} else {
											_push(L"\"\t\n");
										}
										_push(_t428);
										E00413C44(0, _t831, _t835, _t840, __eflags);
									}
									L22:
									__eflags =  *(_t847 - 0x170);
									if( *(_t847 - 0x170) != 0) {
										E00417F66( *((intOrPtr*)(_t847 - 0xe0)), 0x1000,  *((intOrPtr*)(_t847 - 0x174)));
										_t852 =  &(_t852[3]);
										E004090CA(_t847 - 0x180, _t847,  *((intOrPtr*)(_t847 - 0xe0)));
									}
									_t429 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-s");
									__eflags = _t429;
									if(_t429 != 0) {
										L28:
										 *((char*)(_t847 - 0xe0)) = 1;
										L29:
										E0040320A(_t847 - 0x15c);
										E00409101(0, _t835,  *0x43063c, _t847 - 0x15c);
										E0040898E(0, _t847 - 0xdc, _t831, _t835);
										E00408968(0, _t847 - 0xdc, _t831, _t835);
										 *(_t847 - 0xb1) =  *((intOrPtr*)(_t847 - 0xe0));
										 *(_t847 - 0xb8) = 3;
										_t841 = E00401647(_t847 - 0x1b4, _t847, L"-y");
										_t439 = E004089E5(_t847 - 0xdc,  *((intOrPtr*)(E00408730(_t847 - 0xdc, _t847 - 0xfc, 2))),  *_t436);
										__eflags = _t439;
										if(_t439 == 0) {
											L31:
											 *(_t847 - 0xb2) = 1;
											L32:
											__eflags =  *(_t847 - 0xb8) & 0x00000008;
											if(( *(_t847 - 0xb8) & 0x00000008) != 0) {
												_push( *((intOrPtr*)(_t847 - 0xc4)));
												_t88 = _t847 - 0xb8;
												 *_t88 =  *(_t847 - 0xb8) & 0xfffffff7;
												__eflags =  *_t88;
												L00408BFB(0, _t835, _t841,  *_t88);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000004;
											if(( *(_t847 - 0xb8) & 0x00000004) != 0) {
												_push( *(_t847 - 0xd0));
												_t94 = _t847 - 0xb8;
												 *_t94 =  *(_t847 - 0xb8) & 0xfffffffb;
												__eflags =  *_t94;
												L00408BFB(0, _t835, _t841,  *_t94);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000002;
											if(( *(_t847 - 0xb8) & 0x00000002) != 0) {
												_push( *((intOrPtr*)(_t847 - 0xfc)));
												_t100 = _t847 - 0xb8;
												 *_t100 =  *(_t847 - 0xb8) & 0xfffffffd;
												__eflags =  *_t100;
												L00408BFB(0, _t835, _t841,  *_t100);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000001;
											if(__eflags != 0) {
												_push( *(_t847 - 0x1b4));
												L00408BFB(0, _t835, _t841, __eflags);
											}
											__eflags =  *(_t847 - 0xb2);
											if( *(_t847 - 0xb2) != 0) {
												 *(_t847 - 0xb1) = 1;
												E00408639(_t847 - 0xdc, _t847, E00408826(_t847 - 0xdc, _t847 - 0xc4, 2));
												_push( *((intOrPtr*)(_t847 - 0xc4)));
												L00408BFB(0, _t835, _t841, __eflags);
												E0040898E(0, _t847 - 0xdc, _t831, _t835);
												E00408968(0, _t847 - 0xdc, _t831, _t835);
											}
											E00408C69(_t847 - 0x1c0);
											_t736 =  *((intOrPtr*)(_t847 - 0x15c));
											_push(_t847 - 0x1c0);
											_push(";!@InstallEnd@!");
											_t831 = ";!@Install@!UTF-8!";
											_t442 = E00413CE0( *((intOrPtr*)(_t847 - 0x15c)), ";!@Install@!UTF-8!");
											__eflags = _t442;
											if(_t442 != 0) {
												E00401647(_t847 - 0x150, _t847, L".\\");
												_t738 = _t847 - 0x118;
												E0040320A(_t847 - 0x118);
												_t836 = MessageBoxW;
												 *(_t847 - 0xe4) = 1;
												__eflags =  *(_t847 - 0x1bc);
												if(__eflags == 0) {
													L62:
													 *((char*)(_t847 - 0x10c)) = 0;
													E0040320A(_t847 - 0x108);
													_t740 = _t847 - 0x10c;
													__eflags = E004113E5(0, _t847 - 0x10c, _t831, _t836, _t847,  *0x42d24c);
													if(__eflags != 0) {
														_t447 = E00408BD0(0, _t836, __eflags, 0x1c);
														__eflags = _t447;
														if(_t447 == 0) {
															_t842 = 0;
															__eflags = 0;
														} else {
															_t842 = E00413EA3(_t447);
														}
														E0040222C(_t847 - 0xb8, _t842);
														_t743 = _t842;
														_t449 = E004118A7(0, _t842, _t831, _t836, _t842, __eflags);
														__eflags = _t449;
														if(_t449 == 0) {
															E00404082(_t847 - 0x130, _t847, _t847 - 0x108);
															_t745 = _t847 - 0x168;
															 *(_t847 - 0xb2) = 0;
															E0040320A(_t847 - 0x168);
															_push( *((intOrPtr*)(_t847 - 0xe0)));
															_push(_t847 - 0x180);
															_push(1);
															_push(_t847 - 0x168);
															_push(_t847 - 0xb2);
															_push( *(_t847 - 0xe4));
															_push(_t847 - 0x130);
															_push(_t847 - 0x15c);
															_push(_t842);
															_t843 = E004135E5(0, _t831, _t836, _t842, __eflags);
															__eflags = _t843;
															if(__eflags == 0) {
																_push( *(_t847 - 0x168));
																L00408BFB(0, _t836, _t843, __eflags);
																E00413E7B(0, _t847 - 0xf0, _t836, _t843, __eflags);
																_t843 = SetCurrentDirectoryW; // executed
																_t461 = SetCurrentDirectoryW( *(_t847 - 0x108)); // executed
																__eflags = _t461;
																if(__eflags != 0) {
																	__eflags =  *(_t847 - 0x1a4);
																	if( *(_t847 - 0x1a4) == 0) {
																		__eflags =  *(_t847 - 0x114);
																		if( *(_t847 - 0x114) != 0) {
																			L101:
																			E0040320A(_t847 - 0x124);
																			_push(_t847 - 0x124);
																			_t464 = E00410D94( *((intOrPtr*)(_t847 - 0x15c)));
																			__eflags = _t464;
																			if(_t464 == 0) {
																				E0040320A(_t847 - 0xfc);
																				_push(_t847 - 0xfc);
																				E00410D94( *((intOrPtr*)(_t847 - 0x15c)));
																				E00408639(_t847 - 0x124, _t847, _t847 - 0xfc);
																				_push( *((intOrPtr*)(_t847 - 0xfc)));
																				L00408BFB(0, _t836, _t843, __eflags);
																			}
																			_t465 = E00417FD5( *((intOrPtr*)(_t847 - 0x118)), L"%%T");
																			__eflags = _t465;
																			if(_t465 == 0) {
																				__eflags =  *(_t847 - 0x14c);
																				if( *(_t847 - 0x14c) != 0) {
																					E004099DF(_t847 - 0x150);
																				}
																			} else {
																				E00408639(_t847 - 0x150, _t847, _t847 - 0x130);
																				E004099DF(_t847 - 0x150);
																				E00401647(_t847 - 0xc4, _t847, 0x423a68);
																				E00401647(_t847 - 0xfc, _t847, L"%%T\\");
																				E0040C8C5(_t847 - 0x118, _t847 - 0xfc, _t847 - 0xc4);
																				_push( *((intOrPtr*)(_t847 - 0xfc)));
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *((intOrPtr*)(_t847 - 0xc4)));
																				L00408BFB(0, _t836, _t843, __eflags);
																			}
																			__eflags =  *(_t847 - 0xd8);
																			if(__eflags != 0) {
																				E00408670(_t847 - 0x118, _t831, __eflags, 0x20);
																				E00408FDE(_t847 - 0x118, __eflags, _t847 - 0xdc);
																			}
																			 *((short*)(_t847 - 0x27e)) = 0;
																			_push(_t847 - 0x118);
																			_push(_t847 - 0x150);
																			_push(_t847 - 0x26c);
																			 *(_t847 - 0x2b0) = 0x44;
																			 *((intOrPtr*)(_t847 - 0x2ac)) = 0;
																			 *((intOrPtr*)(_t847 - 0x2a8)) = 0;
																			 *((intOrPtr*)(_t847 - 0x2a4)) = 0;
																			 *((intOrPtr*)(_t847 - 0x284)) = 0;
																			 *((intOrPtr*)(_t847 - 0x27c)) = 0;
																			_t470 = E004096A4(0, _t836, _t843, __eflags);
																			_t836 = _t470;
																			_push(E00401647(_t847 - 0x18c, _t847, "\""));
																			_push(_t847 - 0x180);
																			_push(E00401647(_t847 - 0x248, _t847, L"\" /k=\""));
																			_push(_t847 - 0x124);
																			_push(E00401647(_t847 - 0x254, _t847, L" /m=\""));
																			_push(_t470);
																			_push(_t847 - 0x260);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0x23c);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xfc);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xc4);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xd0);
																			E004096A4(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0xc4)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0xfc)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x23c)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x260)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x26c)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x254)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x248)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *(_t847 - 0x18c));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_t852 =  &(_t852[8]);
																			_t496 = CreateProcessW(0,  *(_t847 - 0xd0), 0, 0, 0, 0, 0,  *(_t847 - 0x108), _t847 - 0x2b0, _t847 - 0x230); // executed
																			__eflags = _t496;
																			if(__eflags != 0) {
																				CloseHandle( *(_t847 - 0x22c));
																				_push( *(_t847 - 0xd0));
																				_t836 =  *(_t847 - 0x230);
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *(_t847 - 0x124));
																				L114:
																				L00408BFB(0, _t836, _t843, __eflags);
																				__eflags = _t836;
																				if(__eflags == 0) {
																					SetCurrentDirectoryW( *(_t847 - 0xf0));
																					_push( *(_t847 - 0xf0));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_push( *((intOrPtr*)(_t847 - 0x130)));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_t503 =  *(_t847 - 0xb8);
																					__eflags = _t503;
																					if(__eflags != 0) {
																						 *((intOrPtr*)( *_t503 + 8))(_t503);
																					}
																					E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags);
																					_t844 = 0;
																				} else {
																					WaitForSingleObject(_t836, 0xffffffff);
																					GetExitCodeProcess(_t836, _t847 - 0xe4); // executed
																					FindCloseChangeNotification(_t836); // executed
																					_t836 =  *(_t847 - 0xe4);
																					SetCurrentDirectoryW( *(_t847 - 0xf0)); // executed
																					_push( *(_t847 - 0xf0));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_push( *((intOrPtr*)(_t847 - 0x130)));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_t523 =  *(_t847 - 0xb8);
																					__eflags = _t523;
																					if(__eflags != 0) {
																						 *((intOrPtr*)( *_t523 + 8))(_t523);
																					}
																					E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags); // executed
																					_t844 = _t836;
																				}
																				goto L52;
																			} else {
																				__eflags =  *(_t847 - 0xb1);
																				if(__eflags == 0) {
																					E004119F6(0);
																				}
																				_push( *(_t847 - 0xd0));
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *(_t847 - 0x124));
																				L95:
																				L00408BFB(0, _t836, _t843, __eflags);
																				goto L87;
																			}
																		}
																		_t781 = _t847 - 0x118;
																		E004090CA(_t847 - 0x118, _t847, L"setup.exe");
																		_push( *((intOrPtr*)(_t847 - 0x118)));
																		_t558 = E00409421(0, _t831, _t836, SetCurrentDirectoryW, __eflags);
																		__eflags = _t558;
																		if(_t558 != 0) {
																			goto L101;
																		}
																		__eflags =  *(_t847 - 0xb1);
																		if(__eflags == 0) {
																			E00411936(0, _t781, _t836, SetCurrentDirectoryW, 0,  *0x4306a4);
																		}
																		goto L87;
																	}
																	E00404082(_t847 - 0xd0, _t847, _t847 - 0x1a8);
																	_t836 =  *(_t847 - 0xd0);
																	 *(_t847 - 0x220) = 0x3c;
																	 *((intOrPtr*)(_t847 - 0x21c)) = 0x140;
																	 *((intOrPtr*)(_t847 - 0x218)) = 0;
																	 *((intOrPtr*)(_t847 - 0x214)) = 0;
																	 *(_t847 - 0x210) = _t836;
																	__eflags =  *(_t847 - 0xd8);
																	if(__eflags != 0) {
																		E00408FDE(_t847 - 0x19c, __eflags, _t847 - 0xdc);
																	}
																	_t783 = _t847 - 0x124;
																	E00404082(_t847 - 0x124, _t847, _t847 - 0x19c);
																	asm("sbb eax, eax");
																	 *((intOrPtr*)(_t847 - 0x208)) = 0;
																	 *(_t847 - 0x20c) =  ~( *(_t847 - 0x120)) &  *(_t847 - 0x124);
																	 *((intOrPtr*)(_t847 - 0x204)) = 1;
																	 *(_t847 - 0x1e8) = 0;
																	ShellExecuteExW(_t847 - 0x220);
																	__eflags =  *((intOrPtr*)(_t847 - 0x200)) - 0x20;
																	if(__eflags > 0) {
																		_push( *(_t847 - 0x124));
																		_t836 =  *(_t847 - 0x1e8);
																		L00408BFB(0, _t836, _t843, __eflags);
																		_push( *(_t847 - 0xd0));
																		goto L114;
																	} else {
																		__eflags =  *(_t847 - 0xb1);
																		if(__eflags == 0) {
																			E00411936(0, _t783, _t836, _t843, 0,  *0x430698);
																		}
																		_push( *(_t847 - 0x124));
																		L00408BFB(0, _t836, _t843, __eflags);
																		_push(_t836);
																		goto L95;
																	}
																}
																L87:
																SetCurrentDirectoryW( *(_t847 - 0xf0));
																_push( *(_t847 - 0xf0));
																L85:
																L00408BFB(0, _t836, _t843, __eflags);
																_push( *((intOrPtr*)(_t847 - 0x130)));
																L00408BFB(0, _t836, _t843, __eflags);
																goto L72;
															}
															__eflags =  *(_t847 - 0xb1);
															if(__eflags != 0) {
																L84:
																_push( *(_t847 - 0x168));
																goto L85;
															}
															__eflags = _t843 - 1;
															if(_t843 == 1) {
																L78:
																E00408639(_t847 - 0x168, _t847, E0040C825(_t745, _t847 - 0xc4, 0xf));
																_push( *((intOrPtr*)(_t847 - 0xc4)));
																L00408BFB(0, _t836, _t843, __eflags);
																_pop(_t745);
																_t843 = 0x80004005;
																L79:
																__eflags = _t843 - 0x80004004;
																if(__eflags != 0) {
																	_push(0xa);
																	_push(_t847 - 0xc4);
																	__eflags =  *(_t847 - 0x164);
																	if( *(_t847 - 0x164) == 0) {
																		_t579 = E0040C825(_t745);
																		 *((intOrPtr*)(_t847 - 0x190)) = 0x424188;
																		 *(_t847 - 0x18c) = _t843;
																		 *((intOrPtr*)(_t847 - 0x188)) = 0;
																		 *((intOrPtr*)(_t847 - 0x184)) = 0;
																		MessageBoxW(0, E0041397A(_t847 - 0x190),  *_t579, 0x12010);
																		E00413802(_t847 - 0x190);
																	} else {
																		E0040C825(_t745);
																		MessageBoxW(0,  *(_t847 - 0x168), ??, ??);
																	}
																	_push( *((intOrPtr*)(_t847 - 0xc4)));
																	L00408BFB(0, _t836, _t843, __eflags);
																}
																goto L84;
															}
															__eflags =  *(_t847 - 0xb2);
															if( *(_t847 - 0xb2) == 0) {
																goto L79;
															}
															goto L78;
														} else {
															__eflags =  *(_t847 - 0xb1);
															if( *(_t847 - 0xb1) == 0) {
																E00411936(0, _t743, _t836, _t842, 0,  *0x43068c);
															}
															L72:
															_t531 =  *(_t847 - 0xb8);
															__eflags = _t531;
															if(__eflags != 0) {
																 *((intOrPtr*)( *_t531 + 8))(_t531);
															}
															L65:
															E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags);
															_t844 = 1;
															L52:
															_push( *((intOrPtr*)(_t847 - 0x118)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x150)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1c0)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x15c)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x180)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x174)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x19c)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1a8)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0xdc)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1e4)));
															L00408BFB(0, _t836, _t844, __eflags);
															_t368 = _t844;
															L4:
															_pop(_t834);
															_pop(_t839);
															_pop(_t694);
															return E00416B12(_t368, _t694,  *(_t847 + 0x64) ^ _t847, _t831, _t834, _t839);
														}
													}
													__eflags =  *(_t847 - 0xb1);
													if(__eflags == 0) {
														E00411936(0, _t740, _t836, _t841, 0,  *0x43065c);
													}
													goto L65;
												}
												_push(_t847 - 0x144);
												_push(_t847 - 0x1c0);
												 *((intOrPtr*)(_t847 - 0x140)) = 0;
												 *((intOrPtr*)(_t847 - 0x13c)) = 0;
												 *((intOrPtr*)(_t847 - 0x138)) = 0;
												 *((intOrPtr*)(_t847 - 0x134)) = 4;
												 *((intOrPtr*)(_t847 - 0x144)) = 0x4242e0;
												_t592 = E00408E31(0, MessageBoxW, _t841, __eflags);
												__eflags = _t592;
												if(_t592 != 0) {
													E00401647(_t847 - 0xd0, _t847, L"Title");
													E00408DF4(_t847 - 0xd0, _t847 - 0x1b4, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"BeginPrompt";
													E00401647(_t847 - 0xd0, _t847,  *(_t847 - 0xd0));
													E00408DF4(_t847 - 0xd0, _t847 - 0x1cc, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"Progress";
													E00401647(_t847 - 0xd0, _t847,  *(_t847 - 0xd0));
													E00408DF4(_t847 - 0xd0, _t847 - 0x1d8, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"no";
													_t611 = E004089E5(_t847 - 0xd0,  *((intOrPtr*)(_t847 - 0x1d8)),  *(_t847 - 0xd0));
													__eflags = _t611;
													if(_t611 == 0) {
														 *(_t847 - 0xe4) = 0;
													}
													E00401647(_t847 - 0xd0, _t847, L"Directory");
													_t615 = E00408DBE(_t847 - 0x144, _t847 - 0xd0);
													_push( *(_t847 - 0xd0));
													_t843 = _t615;
													L00408BFB(0, _t836, _t843, __eflags);
													__eflags = _t843;
													if(_t843 >= 0) {
														__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t847 - 0x138)) + _t843 * 4)) + 0xc;
														E00408639(_t847 - 0x150, _t847,  *((intOrPtr*)( *((intOrPtr*)(_t847 - 0x138)) + _t843 * 4)) + 0xc);
													}
													__eflags =  *(_t847 - 0x1c8);
													if( *(_t847 - 0x1c8) == 0) {
														L61:
														E00401647(_t847 - 0xd0, _t847, L"RunProgram");
														E00408639(_t847 - 0x118, _t847, E00408DF4(_t847 - 0xd0, _t847 - 0xc4, _t847 - 0x144, _t847 - 0xd0));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														E00401647(_t847 - 0xd0, _t847, L"ExecuteFile");
														E00408639(_t847 - 0x1a8, _t847, E00408DF4(_t847 - 0xd0, _t847 - 0xc4, _t847 - 0x144, _t847 - 0xd0));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														E00401647(_t847 - 0xd0, _t847, L"ExecuteParameters");
														_push(_t847 - 0xdc);
														_push(E00408DF4(_t847 - 0xd0, _t847 - 0xfc, _t847 - 0x144, _t847 - 0xd0));
														_push(_t847 - 0xc4);
														E00408639(_t847 - 0x19c, _t847, E004096A4(0, _t836, _t843, __eflags));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *((intOrPtr*)(_t847 - 0xfc)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *((intOrPtr*)(_t847 - 0x1d8)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1cc));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1b4));
														L00408BFB(0, _t836, _t843, __eflags);
														_t852 =  &(_t852[6]);
														E00413B6D(0, _t847 - 0x144, _t836, _t843, __eflags);
														goto L62;
													} else {
														__eflags =  *(_t847 - 0xb1);
														if( *(_t847 - 0xb1) != 0) {
															goto L61;
														}
														__eflags = MessageBoxW(0,  *(_t847 - 0x1cc),  *(_t847 - 0x1b4), 0x24) - 6;
														if(__eflags == 0) {
															goto L61;
														}
														_push( *((intOrPtr*)(_t847 - 0x1d8)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1cc));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1b4));
														L00408BFB(0, _t836, _t843, __eflags);
														_t852 =  &(_t852[3]);
														_t844 = 0;
														L51:
														E00413B6D(0, _t847 - 0x144, _t836, _t844, __eflags);
														goto L52;
													}
												}
												__eflags =  *(_t847 - 0xb1);
												if( *(_t847 - 0xb1) == 0) {
													E00411936(0, _t738, MessageBoxW, _t841, 0,  *0x430650);
												}
												_t844 = 1;
												__eflags = 1;
												goto L51;
											} else {
												__eflags =  *(_t847 - 0xb1);
												if(__eflags == 0) {
													E00411936(0, _t736, _t835, _t841, 0,  *0x430644);
												}
												_push( *((intOrPtr*)(_t847 - 0x1c0)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x15c)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x180)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x174)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x19c)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x1a8)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0xdc)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x1e4)));
												L00408BFB(0, _t835, _t841, __eflags);
												goto L3;
											}
										}
										 *(_t847 - 0xb8) = 0xf;
										_t843 = E00401647(_t847 - 0xd0, _t847, L"/y");
										_t681 = E004089E5(_t847 - 0xdc,  *((intOrPtr*)(E00408730(_t847 - 0xdc, _t847 - 0xc4, 2))),  *_t678);
										 *(_t847 - 0xb2) = 0;
										__eflags = _t681;
										if(_t681 != 0) {
											goto L32;
										}
										goto L31;
									}
									_t682 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-S");
									__eflags = _t682;
									if(_t682 != 0) {
										goto L28;
									}
									_t683 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/s");
									__eflags = _t683;
									if(_t683 != 0) {
										goto L28;
									}
									_t684 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/S");
									 *((char*)(_t847 - 0xe0)) = 0;
									__eflags = _t684;
									if(_t684 == 0) {
										goto L29;
									}
									goto L28;
								}
								_t840 = L"/k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/k=");
								__eflags = _t835;
								if(_t835 == 0) {
									goto L22;
								}
								goto L17;
							}
							L13:
							 *(_t847 - 0xb1) = 1;
							goto L17;
						}
						L11:
						E00413A48(0, __eflags);
						goto L12;
					}
					__eflags =  *(_t847 - 0xa8);
					if(__eflags != 0) {
						L8:
						__eflags =  *(_t847 - 0xa8) - 1;
						if(__eflags >= 0) {
							goto L11;
						} else {
							__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
							goto L10;
						}
					}
					E004138BE(0, _t831, __eflags);
					__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
					if(__eflags != 0) {
						goto L10;
					}
					goto L8;
				}
			}






















































                                                            0x00413f63
                                                            0x00413f63
                                                            0x00413f64
                                                            0x00413f68
                                                            0x00413f6e
                                                            0x00413f75
                                                            0x00413f7f
                                                            0x00413f86
                                                            0x00413f8c
                                                            0x00413f9d
                                                            0x00413fa7
                                                            0x00413fb9
                                                            0x00413fbe
                                                            0x00413fc0
                                                            0x00000000
                                                            0x00413fd5
                                                            0x00413fd6
                                                            0x00413fdc
                                                            0x00413fe2
                                                            0x00413fef
                                                            0x00413ff4
                                                            0x00413ffe
                                                            0x00414004
                                                            0x00414006
                                                            0x0041400d
                                                            0x00414035
                                                            0x00414035
                                                            0x0041403c
                                                            0x00414042
                                                            0x0041404d
                                                            0x00414058
                                                            0x00414063
                                                            0x00414075
                                                            0x00414080
                                                            0x00414087
                                                            0x0041408e
                                                            0x0041408f
                                                            0x00414094
                                                            0x0041409a
                                                            0x0041409f
                                                            0x004140b4
                                                            0x004140b9
                                                            0x004140bf
                                                            0x004140c4
                                                            0x004140d9
                                                            0x004140de
                                                            0x004140e4
                                                            0x004140e9
                                                            0x004140fe
                                                            0x00414103
                                                            0x00414109
                                                            0x0041410e
                                                            0x00414123
                                                            0x00414128
                                                            0x0041412e
                                                            0x00414133
                                                            0x00414148
                                                            0x0041414d
                                                            0x00414153
                                                            0x00414158
                                                            0x0041416d
                                                            0x00414172
                                                            0x00414178
                                                            0x0041417d
                                                            0x00414192
                                                            0x00414197
                                                            0x0041419d
                                                            0x004141a2
                                                            0x004141b7
                                                            0x004141bc
                                                            0x004141c2
                                                            0x004141c7
                                                            0x004141dc
                                                            0x004141e7
                                                            0x004141ec
                                                            0x004141f3
                                                            0x004141fe
                                                            0x00414204
                                                            0x0041420b
                                                            0x00414216
                                                            0x0041421b
                                                            0x00414227
                                                            0x00414232
                                                            0x00414236
                                                            0x00414238
                                                            0x00414243
                                                            0x00414254
                                                            0x00414258
                                                            0x0041425a
                                                            0x00000000
                                                            0x00000000
                                                            0x0041425c
                                                            0x0041426d
                                                            0x00414271
                                                            0x00414273
                                                            0x0041428e
                                                            0x00414294
                                                            0x00414298
                                                            0x0041429a
                                                            0x004142a2
                                                            0x004142a3
                                                            0x004142a9
                                                            0x004142b2
                                                            0x004142ab
                                                            0x004142ab
                                                            0x004142ab
                                                            0x004142b7
                                                            0x004142b8
                                                            0x004142b8
                                                            0x004142bd
                                                            0x004142bd
                                                            0x004142c3
                                                            0x004142d6
                                                            0x004142db
                                                            0x004142ea
                                                            0x004142ea
                                                            0x004142fa
                                                            0x00414301
                                                            0x00414303
                                                            0x0041434d
                                                            0x0041434d
                                                            0x00414354
                                                            0x0041435a
                                                            0x0041436c
                                                            0x00414377
                                                            0x00414382
                                                            0x00414398
                                                            0x0041439e
                                                            0x004143ad
                                                            0x004143c7
                                                            0x004143cc
                                                            0x004143ce
                                                            0x00414413
                                                            0x00414413
                                                            0x0041441a
                                                            0x0041441a
                                                            0x00414421
                                                            0x00414423
                                                            0x00414429
                                                            0x00414429
                                                            0x00414429
                                                            0x00414430
                                                            0x00414435
                                                            0x00414436
                                                            0x0041443d
                                                            0x0041443f
                                                            0x00414445
                                                            0x00414445
                                                            0x00414445
                                                            0x0041444c
                                                            0x00414451
                                                            0x00414452
                                                            0x00414459
                                                            0x0041445b
                                                            0x00414461
                                                            0x00414461
                                                            0x00414461
                                                            0x00414468
                                                            0x0041446d
                                                            0x0041446e
                                                            0x00414475
                                                            0x00414477
                                                            0x0041447d
                                                            0x00414482
                                                            0x00414483
                                                            0x00414489
                                                            0x0041449a
                                                            0x004144ad
                                                            0x004144b2
                                                            0x004144b8
                                                            0x004144c4
                                                            0x004144cf
                                                            0x004144cf
                                                            0x004144da
                                                            0x004144df
                                                            0x004144eb
                                                            0x004144ec
                                                            0x004144f1
                                                            0x004144f6
                                                            0x004144fb
                                                            0x004144fd
                                                            0x0041457e
                                                            0x00414583
                                                            0x00414589
                                                            0x0041458e
                                                            0x00414594
                                                            0x0041459b
                                                            0x004145a1
                                                            0x00414915
                                                            0x0041491b
                                                            0x00414921
                                                            0x0041492c
                                                            0x00414937
                                                            0x00414939
                                                            0x00414964
                                                            0x0041496a
                                                            0x0041496c
                                                            0x00414979
                                                            0x00414979
                                                            0x0041496e
                                                            0x00414975
                                                            0x00414975
                                                            0x00414982
                                                            0x00414987
                                                            0x00414989
                                                            0x0041498e
                                                            0x00414990
                                                            0x004149c5
                                                            0x004149ca
                                                            0x004149d0
                                                            0x004149d6
                                                            0x004149db
                                                            0x004149e7
                                                            0x004149e8
                                                            0x004149f0
                                                            0x004149f7
                                                            0x004149f8
                                                            0x00414a04
                                                            0x00414a0b
                                                            0x00414a0c
                                                            0x00414a12
                                                            0x00414a14
                                                            0x00414a16
                                                            0x00414afc
                                                            0x00414b02
                                                            0x00414b0e
                                                            0x00414b19
                                                            0x00414b1f
                                                            0x00414b21
                                                            0x00414b23
                                                            0x00414b35
                                                            0x00414b3b
                                                            0x00414c35
                                                            0x00414c3b
                                                            0x00414c79
                                                            0x00414c7f
                                                            0x00414c8a
                                                            0x00414c91
                                                            0x00414c96
                                                            0x00414c98
                                                            0x00414ca0
                                                            0x00414cab
                                                            0x00414cb2
                                                            0x00414cc4
                                                            0x00414cc9
                                                            0x00414ccf
                                                            0x00414cd4
                                                            0x00414ce0
                                                            0x00414ce7
                                                            0x00414ce9
                                                            0x00414d5c
                                                            0x00414d62
                                                            0x00414d6b
                                                            0x00414d6b
                                                            0x00414ceb
                                                            0x00414cf8
                                                            0x00414d04
                                                            0x00414d14
                                                            0x00414d24
                                                            0x00414d3d
                                                            0x00414d42
                                                            0x00414d48
                                                            0x00414d4d
                                                            0x00414d53
                                                            0x00414d59
                                                            0x00414d70
                                                            0x00414d76
                                                            0x00414d80
                                                            0x00414d92
                                                            0x00414d92
                                                            0x00414d99
                                                            0x00414da6
                                                            0x00414dad
                                                            0x00414db4
                                                            0x00414db5
                                                            0x00414dbf
                                                            0x00414dc5
                                                            0x00414dcb
                                                            0x00414dd1
                                                            0x00414dd7
                                                            0x00414ddd
                                                            0x00414ded
                                                            0x00414df4
                                                            0x00414dfb
                                                            0x00414e0c
                                                            0x00414e13
                                                            0x00414e24
                                                            0x00414e25
                                                            0x00414e2c
                                                            0x00414e32
                                                            0x00414e39
                                                            0x00414e3f
                                                            0x00414e46
                                                            0x00414e4c
                                                            0x00414e53
                                                            0x00414e59
                                                            0x00414e60
                                                            0x00414e61
                                                            0x00414e66
                                                            0x00414e6c
                                                            0x00414e71
                                                            0x00414e77
                                                            0x00414e7c
                                                            0x00414e82
                                                            0x00414e87
                                                            0x00414e8d
                                                            0x00414e92
                                                            0x00414e98
                                                            0x00414e9d
                                                            0x00414ea3
                                                            0x00414ea8
                                                            0x00414eae
                                                            0x00414eb3
                                                            0x00414eb9
                                                            0x00414ebe
                                                            0x00414ee1
                                                            0x00414ee7
                                                            0x00414ee9
                                                            0x00414f15
                                                            0x00414f1b
                                                            0x00414f21
                                                            0x00414f27
                                                            0x00414f2c
                                                            0x00414f32
                                                            0x00414f32
                                                            0x00414f39
                                                            0x00414f3b
                                                            0x00414fa9
                                                            0x00414fab
                                                            0x00414fb1
                                                            0x00414fb6
                                                            0x00414fbc
                                                            0x00414fc1
                                                            0x00414fc9
                                                            0x00414fcb
                                                            0x00414fd0
                                                            0x00414fd0
                                                            0x00414fd9
                                                            0x00414fde
                                                            0x00414f3d
                                                            0x00414f40
                                                            0x00414f4e
                                                            0x00414f55
                                                            0x00414f61
                                                            0x00414f67
                                                            0x00414f69
                                                            0x00414f6f
                                                            0x00414f74
                                                            0x00414f7a
                                                            0x00414f7f
                                                            0x00414f87
                                                            0x00414f89
                                                            0x00414f8e
                                                            0x00414f8e
                                                            0x00414f97
                                                            0x00414f9c
                                                            0x00414f9c
                                                            0x00000000
                                                            0x00414eeb
                                                            0x00414eeb
                                                            0x00414ef1
                                                            0x00414ef4
                                                            0x00414ef4
                                                            0x00414ef9
                                                            0x00414eff
                                                            0x00414f04
                                                            0x00414c0d
                                                            0x00414c0d
                                                            0x00000000
                                                            0x00414c13
                                                            0x00414ee9
                                                            0x00414c42
                                                            0x00414c48
                                                            0x00414c4d
                                                            0x00414c53
                                                            0x00414c58
                                                            0x00414c5a
                                                            0x00000000
                                                            0x00000000
                                                            0x00414c5c
                                                            0x00414c62
                                                            0x00414c6f
                                                            0x00414c6f
                                                            0x00000000
                                                            0x00414c62
                                                            0x00414b4e
                                                            0x00414b53
                                                            0x00414b59
                                                            0x00414b63
                                                            0x00414b6d
                                                            0x00414b73
                                                            0x00414b79
                                                            0x00414b7f
                                                            0x00414b85
                                                            0x00414b94
                                                            0x00414b94
                                                            0x00414ba0
                                                            0x00414ba6
                                                            0x00414bb3
                                                            0x00414bbb
                                                            0x00414bc1
                                                            0x00414bce
                                                            0x00414bd8
                                                            0x00414bde
                                                            0x00414be4
                                                            0x00414beb
                                                            0x00414c19
                                                            0x00414c1f
                                                            0x00414c25
                                                            0x00414c2a
                                                            0x00000000
                                                            0x00414bed
                                                            0x00414bed
                                                            0x00414bf3
                                                            0x00414bfc
                                                            0x00414bfc
                                                            0x00414c01
                                                            0x00414c07
                                                            0x00414c0c
                                                            0x00000000
                                                            0x00414c0c
                                                            0x00414beb
                                                            0x00414b25
                                                            0x00414b2b
                                                            0x00414b2d
                                                            0x00414ae5
                                                            0x00414ae5
                                                            0x00414aea
                                                            0x00414af0
                                                            0x00000000
                                                            0x00414af6
                                                            0x00414a1c
                                                            0x00414a22
                                                            0x00414adf
                                                            0x00414adf
                                                            0x00000000
                                                            0x00414adf
                                                            0x00414a28
                                                            0x00414a2b
                                                            0x00414a35
                                                            0x00414a4a
                                                            0x00414a4f
                                                            0x00414a55
                                                            0x00414a5a
                                                            0x00414a5b
                                                            0x00414a60
                                                            0x00414a60
                                                            0x00414a66
                                                            0x00414a68
                                                            0x00414a70
                                                            0x00414a71
                                                            0x00414a77
                                                            0x00414a90
                                                            0x00414aa3
                                                            0x00414aad
                                                            0x00414ab3
                                                            0x00414ab9
                                                            0x00414ac6
                                                            0x00414ace
                                                            0x00414a79
                                                            0x00414a79
                                                            0x00414a8c
                                                            0x00414a8c
                                                            0x00414ad3
                                                            0x00414ad9
                                                            0x00414ade
                                                            0x00000000
                                                            0x00414a66
                                                            0x00414a2d
                                                            0x00414a33
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00414992
                                                            0x00414992
                                                            0x00414998
                                                            0x004149a1
                                                            0x004149a1
                                                            0x004149a6
                                                            0x004149a6
                                                            0x004149ac
                                                            0x004149ae
                                                            0x004149b3
                                                            0x004149b3
                                                            0x0041494f
                                                            0x00414955
                                                            0x0041495c
                                                            0x0041460a
                                                            0x0041460a
                                                            0x00414610
                                                            0x00414615
                                                            0x0041461b
                                                            0x00414620
                                                            0x00414626
                                                            0x0041462b
                                                            0x00414631
                                                            0x00414636
                                                            0x0041463c
                                                            0x00414641
                                                            0x00414647
                                                            0x0041464c
                                                            0x00414652
                                                            0x00414657
                                                            0x0041465d
                                                            0x00414662
                                                            0x00414668
                                                            0x0041466d
                                                            0x00414673
                                                            0x0041467b
                                                            0x00413fc1
                                                            0x00413fc4
                                                            0x00413fc5
                                                            0x00413fc8
                                                            0x00413fd2
                                                            0x00413fd2
                                                            0x00414990
                                                            0x0041493b
                                                            0x00414941
                                                            0x0041494a
                                                            0x0041494a
                                                            0x00000000
                                                            0x00414941
                                                            0x004145ad
                                                            0x004145b4
                                                            0x004145b5
                                                            0x004145bb
                                                            0x004145c1
                                                            0x004145c7
                                                            0x004145d1
                                                            0x004145db
                                                            0x004145e0
                                                            0x004145e2
                                                            0x0041468d
                                                            0x004146a7
                                                            0x004146b2
                                                            0x004146bd
                                                            0x004146c4
                                                            0x004146de
                                                            0x004146e9
                                                            0x004146f4
                                                            0x004146fb
                                                            0x00414715
                                                            0x00414720
                                                            0x00414725
                                                            0x00414732
                                                            0x00414737
                                                            0x00414739
                                                            0x0041473b
                                                            0x0041473b
                                                            0x0041474c
                                                            0x0041475f
                                                            0x00414764
                                                            0x0041476a
                                                            0x0041476c
                                                            0x00414771
                                                            0x00414774
                                                            0x0041477f
                                                            0x00414789
                                                            0x00414789
                                                            0x0041478e
                                                            0x00414794
                                                            0x004147df
                                                            0x004147ea
                                                            0x00414810
                                                            0x00414815
                                                            0x0041481b
                                                            0x00414820
                                                            0x00414826
                                                            0x00414838
                                                            0x0041485e
                                                            0x00414863
                                                            0x00414869
                                                            0x0041486e
                                                            0x00414874
                                                            0x00414886
                                                            0x00414891
                                                            0x004148ac
                                                            0x004148b3
                                                            0x004148c0
                                                            0x004148c5
                                                            0x004148cb
                                                            0x004148d0
                                                            0x004148d6
                                                            0x004148db
                                                            0x004148e1
                                                            0x004148e6
                                                            0x004148ec
                                                            0x004148f1
                                                            0x004148f7
                                                            0x004148fc
                                                            0x00414902
                                                            0x00414907
                                                            0x00414910
                                                            0x00000000
                                                            0x00414796
                                                            0x00414796
                                                            0x0041479c
                                                            0x00000000
                                                            0x00000000
                                                            0x004147af
                                                            0x004147b2
                                                            0x00000000
                                                            0x00000000
                                                            0x004147b4
                                                            0x004147ba
                                                            0x004147bf
                                                            0x004147c5
                                                            0x004147ca
                                                            0x004147d0
                                                            0x004147d5
                                                            0x004147d8
                                                            0x004145ff
                                                            0x00414605
                                                            0x00000000
                                                            0x00414605
                                                            0x00414794
                                                            0x004145e8
                                                            0x004145ee
                                                            0x004145f7
                                                            0x004145f7
                                                            0x004145fe
                                                            0x004145fe
                                                            0x00000000
                                                            0x004144ff
                                                            0x004144ff
                                                            0x00414505
                                                            0x0041450e
                                                            0x0041450e
                                                            0x00414513
                                                            0x00414519
                                                            0x0041451e
                                                            0x00414524
                                                            0x00414529
                                                            0x0041452f
                                                            0x00414534
                                                            0x0041453a
                                                            0x0041453f
                                                            0x00414545
                                                            0x0041454a
                                                            0x00414550
                                                            0x00414555
                                                            0x0041455b
                                                            0x00414560
                                                            0x00414566
                                                            0x00000000
                                                            0x0041456b
                                                            0x004144fd
                                                            0x004143db
                                                            0x004143ea
                                                            0x00414404
                                                            0x00414409
                                                            0x0041440f
                                                            0x00414411
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00414411
                                                            0x00414310
                                                            0x00414317
                                                            0x00414319
                                                            0x00000000
                                                            0x00000000
                                                            0x00414326
                                                            0x0041432d
                                                            0x0041432f
                                                            0x00000000
                                                            0x00000000
                                                            0x0041433c
                                                            0x00414343
                                                            0x00414349
                                                            0x0041434b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041434b
                                                            0x00414275
                                                            0x00414286
                                                            0x0041428a
                                                            0x0041428c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041428c
                                                            0x0041423a
                                                            0x0041423a
                                                            0x00000000
                                                            0x0041423a
                                                            0x00414037
                                                            0x00414037
                                                            0x00000000
                                                            0x00414037
                                                            0x0041400f
                                                            0x00414015
                                                            0x00414025
                                                            0x00414025
                                                            0x0041402c
                                                            0x00000000
                                                            0x0041402e
                                                            0x0041402e
                                                            0x00000000
                                                            0x0041402e
                                                            0x0041402c
                                                            0x00414017
                                                            0x0041401c
                                                            0x00414023
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00414023

                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 00413FA3
                                                            • CoInitialize.OLE32(00000000), ref: 00413FD6
                                                            • _memset.LIBCMT ref: 00413FEF
                                                            • GetVersionExW.KERNEL32(?), ref: 00414004
                                                            • GetCommandLineW.KERNEL32 ref: 00414068
                                                              • Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                            • _wcslen.LIBCMT ref: 0041428F
                                                              • Part of subcall function 004089E5: CharUpperW.USER32(?), ref: 00408A0F
                                                              • Part of subcall function 004089E5: CharUpperW.USER32(?), ref: 00408A1B
                                                              • Part of subcall function 00408E31: __EH_prolog3.LIBCMT ref: 00408E38
                                                            • ~_Task_impl.LIBCPMT ref: 00414605
                                                            • MessageBoxW.USER32(00000000,?,?,00000024), ref: 004147AD
                                                            • ~_Task_impl.LIBCPMT ref: 00414910
                                                              • Part of subcall function 00413B6D: __EH_prolog3.LIBCMT ref: 00413B74
                                                            • MessageBoxW.USER32(00000000,?,00000000,00012010), ref: 00414A8C
                                                              • Part of subcall function 00411936: MessageBoxW.USER32(?,?,?,00012010), ref: 00411955
                                                              • Part of subcall function 0041397A: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 0041399D
                                                              • Part of subcall function 0041397A: lstrlenW.KERNEL32(00000000), ref: 004139AA
                                                            • MessageBoxW.USER32(00000000,00000000,?,00012010), ref: 00414AC6
                                                              • Part of subcall function 00413802: LocalFree.KERNEL32(?), ref: 00413820
                                                              • Part of subcall function 00413E7B: __EH_prolog3.LIBCMT ref: 00413E82
                                                            • SetCurrentDirectoryW.KERNELBASE(?,?,00000000,004243F8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414B1F
                                                            • SetCurrentDirectoryW.KERNEL32(?,setup.exe), ref: 00414B2B
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00414BDE
                                                            • CreateProcessW.KERNELBASE ref: 00414EE1
                                                            • CloseHandle.KERNEL32(?), ref: 00414F15
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00414F40
                                                            • GetExitCodeProcess.KERNELBASE ref: 00414F4E
                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00414F55
                                                            • SetCurrentDirectoryW.KERNELBASE(?), ref: 00414F67
                                                              • Part of subcall function 00409421: __EH_prolog3.LIBCMT ref: 00409428
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00414FA9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Message$CurrentDirectoryH_prolog3$CharCloseProcessTask_implUpperVersion$ChangeCodeCommandCreateException@8ExecuteExitFindFormatFreeHandleInitializeLineLocalNotificationObjectShellSingleThrowWait_malloc_memset_wcslenlstrlen
                                                            • String ID: $ /m="$"$" /k="$"-k=$"/k=$%%T$%%T\$-k=$/k=$;!@Install@!UTF-8!$;!@InstallEnd@!$Directory$ExecuteFile$ExecuteParameters$RunProgram$Title$X~H$setup.exe$BB
                                                            • API String ID: 341712163-368068072
                                                            • Opcode ID: a9d9a0855de43823dfb4dfec05b57706af315ca4f4bb22283350850105dcec06
                                                            • Instruction ID: 0adf49adcb97444a0658e12179214cffe8ab958646542027bda483d16c8951a9
                                                            • Opcode Fuzzy Hash: a9d9a0855de43823dfb4dfec05b57706af315ca4f4bb22283350850105dcec06
                                                            • Instruction Fuzzy Hash: 3D926B71804229AEDB21AB61DD92FDEB779AF44314F0041EFB149720A2DF395EC49F68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409263, Relevance: 4.6, APIs: 3, Instructions: 62fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E00409263(void* __ebx, void** __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t17;
				void* _t24;
				intOrPtr _t27;
				void* _t34;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t45;
				void** _t47;
				intOrPtr _t48;
				WCHAR* _t50;
				intOrPtr _t52;
				struct _WIN32_FIND_DATAW* _t53;
				void* _t55;

				_t45 = __edx;
				_t53 = _t55 - 0x24c;
				_t17 =  *0x42d330; // 0x41c6c370
				 *(_t53 + 0x250) = _t17 ^ _t53;
				_push(0x10);
				E00416B21(E004215F5, __ebx, __edi, __esi);
				_t50 =  *(_t53 + 0x25c);
				_t47 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) =  *((intOrPtr*)(_t53 + 0x260));
				if(E004091A4(__ecx) != 0) {
					_t36 = FindFirstFileW;
					_t24 = FindFirstFileW(_t50, _t53); // executed
					 *_t47 = _t24;
					__eflags = _t24 - 0xffffffff;
					if(__eflags != 0) {
						L6:
						E00409208(_t53, _t45,  *((intOrPtr*)(_t53 - 0x10)), __eflags);
						_t27 = 1;
					} else {
						E0040320A(_t53 - 0x1c);
						 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
						__eflags = E00409876(__eflags, _t50, _t53 - 0x1c);
						if(__eflags != 0) {
							_t34 = FindFirstFileW( *(_t53 - 0x1c), _t53); // executed
							 *_t47 = _t34;
						}
						_push( *(_t53 - 0x1c));
						 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
						L00408BFB(_t36, _t47, _t50, __eflags);
						__eflags =  *_t47 - 0xffffffff;
						if(__eflags == 0) {
							goto L1;
						} else {
							goto L6;
						}
					}
				} else {
					L1:
					_t27 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				_pop(_t48);
				_pop(_t52);
				_pop(_t37);
				return E00416B12(_t27, _t37,  *(_t53 + 0x250) ^ _t53, _t45, _t48, _t52);
			}

















                                                            0x00409263
                                                            0x0040926a
                                                            0x0040926e
                                                            0x00409275
                                                            0x0040927b
                                                            0x00409282
                                                            0x0040928d
                                                            0x00409293
                                                            0x00409295
                                                            0x0040929f
                                                            0x004092a5
                                                            0x004092b0
                                                            0x004092b2
                                                            0x004092b4
                                                            0x004092b7
                                                            0x004092f0
                                                            0x004092f6
                                                            0x004092fb
                                                            0x004092b9
                                                            0x004092bc
                                                            0x004092c1
                                                            0x004092cf
                                                            0x004092d1
                                                            0x004092da
                                                            0x004092dc
                                                            0x004092dc
                                                            0x004092de
                                                            0x004092e1
                                                            0x004092e5
                                                            0x004092ea
                                                            0x004092ee
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004092ee
                                                            0x004092a1
                                                            0x004092a1
                                                            0x004092a1
                                                            0x004092a1
                                                            0x00409300
                                                            0x00409308
                                                            0x00409309
                                                            0x0040930a
                                                            0x0040931f

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00409282
                                                              • Part of subcall function 004091A4: FindClose.KERNELBASE ref: 004091AF
                                                            • FindFirstFileW.KERNELBASE(?,00000000,00000010), ref: 004092B0
                                                            • FindFirstFileW.KERNELBASE(?,00000000,?,?), ref: 004092DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Find$FileFirst$CloseH_prolog3
                                                            • String ID:
                                                            • API String ID: 410050502-0
                                                            • Opcode ID: 975f62184b0334722376676e6a1b5c0cce0942489d580ab71d93cee25a15793a
                                                            • Instruction ID: 90385d78ba4da19f661f7c17792072272f02829a24cb1b28e9608c506c2898f7
                                                            • Opcode Fuzzy Hash: 975f62184b0334722376676e6a1b5c0cce0942489d580ab71d93cee25a15793a
                                                            • Instruction Fuzzy Hash: FD21A531900209ABDF10EF64DC456EEB3B4FF54325F50457EE824A72C2DB39AE059B18
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00413849, Relevance: 3.0, APIs: 2, Instructions: 44comCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 25%
                                                            			E00413849() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t18;
				signed int _t20;
				signed int _t22;
				signed int _t24;

				if(GetVersion() < 0x106) {
					L4:
					return 0;
				}
				_v8 = _v8 & 0x00000000;
				__imp__CoCreateInstance(0x424144, 0, 0x15, 0x424468,  &_v8); // executed
				_t18 = _v8;
				if(_t18 == 0) {
					goto L4;
				}
				 *((intOrPtr*)( *_t18 + 0xc))(_t18);
				_t20 = _v8;
				_v12 = _v12 & 0x00000000;
				 *((intOrPtr*)( *_t20))(_t20, 0x424154,  &_v12);
				_t22 = _v12;
				if(_t22 == 0) {
					goto L4;
				}
				_v16 = _v16 & 0x00000000;
				 *((intOrPtr*)( *_t22))(_t22, 0x424164,  &_v16);
				_t24 = _v16;
				if(_t24 == 0) {
					goto L4;
				}
				return _t24;
			}










                                                            0x0041385a
                                                            0x004138ba
                                                            0x00000000
                                                            0x004138ba
                                                            0x0041385c
                                                            0x00413872
                                                            0x00413878
                                                            0x0041387d
                                                            0x00000000
                                                            0x00000000
                                                            0x00413882
                                                            0x00413885
                                                            0x00413888
                                                            0x00413898
                                                            0x0041389a
                                                            0x0041389f
                                                            0x00000000
                                                            0x00000000
                                                            0x004138a1
                                                            0x004138b1
                                                            0x004138b3
                                                            0x004138b8
                                                            0x00000000
                                                            0x00000000
                                                            0x004138bd

                                                            APIs
                                                            • GetVersion.KERNEL32 ref: 0041384F
                                                            • CoCreateInstance.OLE32(00424144,00000000,00000015,00424468,00000000), ref: 00413872
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateInstanceVersion
                                                            • String ID:
                                                            • API String ID: 1462612201-0
                                                            • Opcode ID: 1df9f16ccb6b58e935b73724829fc73732dd41c85f6bb66b2655cf45922927b1
                                                            • Instruction ID: 000772e63e32c23fd11f283ae19779ba3719b23df6ed4c586ad162505f51138c
                                                            • Opcode Fuzzy Hash: 1df9f16ccb6b58e935b73724829fc73732dd41c85f6bb66b2655cf45922927b1
                                                            • Instruction Fuzzy Hash: E401DE74B40209AFEB10DFA0D849BAEB7B9EF84706F504495F501E7294D778DA44CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00413A48, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 97%
                                                            			E00413A48(void* __ebx, void* __eflags) {
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t43;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;
				void* _t55;
				signed int _t56;
				void* _t58;

				_t56 = _t58 - 0x39c;
				_t19 =  *0x42d330; // 0x41c6c370
				 *(_t56 + 0x398) = _t19 ^ _t56;
				 *(_t56 - 0x78) = 0;
				E00417D60(0x206, _t56 - 0x76, 0, 0x206);
				GetModuleFileNameW(0, _t56 - 0x78, 0x208);
				 *(_t56 + 0x190) = 0;
				E00417D60(0x206, _t56 + 0x192, 0, 0x206);
				E00417F66(_t56 + 0x190, 0x104, L"Applications\\");
				E00417ECB(_t56 + 0x190, 0x104, E00417E68(_t56 - 0x78, 0x5c) + 2);
				 *(_t56 - 0x7c) = 0;
				RegCreateKeyExW(0x80000000, _t56 + 0x190, 0, 0, 0, 0xf003f, 0, _t56 - 0x7c, 0); // executed
				 *(_t56 - 0x80) = 0;
				RegSetValueExW( *(_t56 - 0x7c), L"IsHostApp", 0, 1, _t56 - 0x80, 2); // executed
				_t43 = RegCloseKey( *(_t56 - 0x7c));
				_t52 = _t49;
				_t55 = _t53;
				return E00416B12(_t43, __ebx,  *(_t56 + 0x398) ^ _t56, _t48, _t52, _t55);
			}














                                                            0x00413a49
                                                            0x00413a56
                                                            0x00413a5d
                                                            0x00413a6d
                                                            0x00413a78
                                                            0x00413a8a
                                                            0x00413a93
                                                            0x00413aa2
                                                            0x00413ab9
                                                            0x00413ad4
                                                            0x00413af6
                                                            0x00413af9
                                                            0x00413b03
                                                            0x00413b16
                                                            0x00413b1f
                                                            0x00413b2b
                                                            0x00413b2e
                                                            0x00413b3b

                                                            APIs
                                                            • _memset.LIBCMT ref: 00413A78
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00413A8A
                                                            • _memset.LIBCMT ref: 00413AA2
                                                            • _wcsrchr.LIBCMT ref: 00413AC4
                                                            • RegCreateKeyExW.KERNELBASE(80000000,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00413AF9
                                                            • RegSetValueExW.KERNELBASE(?,IsHostApp,00000000,00000001,?,00000002), ref: 00413B16
                                                            • RegCloseKey.ADVAPI32(?), ref: 00413B1F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseCreateFileModuleNameValue_wcsrchr
                                                            • String ID: Applications\$IsHostApp
                                                            • API String ID: 1474337858-1667566961
                                                            • Opcode ID: 5e3dc54ae11a1f9641f6188a72024ae741d618748a8b804301cdbc1b71d582ac
                                                            • Instruction ID: f3e52b5f11f812091451beb3f7458e6075dc3339fdcbbde6c0cf17278445c60e
                                                            • Opcode Fuzzy Hash: 5e3dc54ae11a1f9641f6188a72024ae741d618748a8b804301cdbc1b71d582ac
                                                            • Instruction Fuzzy Hash: DD216072A00258BADB31AFB1EC49EEF7BBCEF49704F10002ABA19D7141D6745644CBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004107BB, Relevance: 15.1, APIs: 10, Instructions: 129windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 547 4107bb-4107ca 548 410901-410912 547->548 549 4107d0-4107d3 547->549 552 410917-41091a 548->552 550 4108e1-4108e6 549->550 551 4107d9-4107dc 549->551 553 4108e8-4108fb GetDesktopWindow SetForegroundWindow 550->553 554 4108fd-4108ff 550->554 555 4108d2-4108df 551->555 556 4107e2-4107e5 551->556 557 4108ce-4108d0 553->557 554->552 555->552 558 4108c7-4108c9 556->558 559 4107eb-4107f0 556->559 557->552 558->557 561 4108b1-4108b3 559->561 562 4107f6-4107f7 559->562 580 4108b5 call 411a09 561->580 581 4108b5 call 410729 561->581 582 4108b5 call 41203e 561->582 563 4108a2-4108af 562->563 564 4107fd-4107ff 562->564 563->552 565 410893-41089d call 411ec8 564->565 566 410805-41080e 564->566 574 4108a0 565->574 569 410810-410815 ShowWindow 566->569 570 41084b-41084e 566->570 567 4108b8-4108c5 SetEvent 567->552 571 41081b-41082b PeekMessageW 569->571 572 410850-410855 ShowWindow 570->572 573 41088b-41088e 570->573 571->571 575 41082d-410848 call 41079e SetEvent 571->575 576 41085b-41086b PeekMessageW 572->576 573->552 574->552 575->570 576->576 578 41086d-410885 MessageBoxW SetEvent 576->578 578->573 580->567 581->567 582->567
                                                            C-Code - Quality: 79%
                                                            			E004107BB(intOrPtr* __ecx, intOrPtr _a4, signed short _a8, unsigned int _a12) {
				void* _t39;
				void* _t42;
				void* _t48;
				void* _t51;
				void* _t54;
				void* _t56;
				void* _t59;
				intOrPtr _t83;
				WCHAR** _t95;

				_t97 = __ecx;
				_t83 = _a4;
				_t39 = _t83 - 5;
				if(_t39 == 0) {
					_push(_a12 >> 0x10);
					_push(_a12 & 0x0000ffff);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x1c))();
				}
				_t42 = _t39 - 0x41;
				if(_t42 == 0) {
					if( *((intOrPtr*)(__ecx + 0x18)) == 0) {
						return 0;
					}
					_a12[6] = 0;
					SetForegroundWindow(GetDesktopWindow());
					L20:
					return 1;
				}
				_t48 = _t42 - 8;
				if(_t48 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x30))();
				}
				_t51 = _t48 - 5;
				if(_t51 == 0) {
					 *((intOrPtr*)( *__ecx + 0x20))();
					goto L20;
				}
				_t54 = _t51 - 0xbd;
				if(_t54 == 0) {
					_t56 =  *((intOrPtr*)( *__ecx + 0x10))();
					SetEvent( *(__ecx + 0x1c));
					return _t56;
				}
				_t59 = _t54 - 1;
				if(_t59 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x18))();
				}
				if(_t59 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x34))();
				}
				_t95 = _a12;
				if(_t83 !=  *((intOrPtr*)(__ecx + 8))) {
					L11:
					if(_t83 !=  *((intOrPtr*)(_t97 + 0x10))) {
						L15:
						return 0;
					}
					ShowWindow( *(_t97 + 4), 5);
					do {
					} while (PeekMessageW(0,  *(_t97 + 4), 0, 0, 0) != 0);
					 *((intOrPtr*)(_t97 + 0xc)) = MessageBoxW( *(_t97 + 4),  *_t95, _t95[1], _t95[2]);
					SetEvent( *(_t97 + 0x14));
					goto L15;
				}
				ShowWindow( *(__ecx + 4), 5);
				do {
				} while (PeekMessageW(0,  *(_t97 + 4), 0, 0, 0) != 0);
				 *((intOrPtr*)(_t97 + 0xc)) = E0041079E(_t95, _a8 & 0x0000ffff,  *(_t97 + 4));
				SetEvent( *(_t97 + 0x14));
				_t83 = _a4;
				goto L11;
			}












                                                            0x004107c0
                                                            0x004107c2
                                                            0x004107c7
                                                            0x004107ca
                                                            0x00410909
                                                            0x0041090e
                                                            0x0041090f
                                                            0x00000000
                                                            0x00410914
                                                            0x004107d0
                                                            0x004107d3
                                                            0x004108e6
                                                            0x00000000
                                                            0x004108fd
                                                            0x004108eb
                                                            0x004108f5
                                                            0x004108ce
                                                            0x00000000
                                                            0x004108ce
                                                            0x004107d9
                                                            0x004107dc
                                                            0x004108d2
                                                            0x004108d7
                                                            0x00000000
                                                            0x004108dc
                                                            0x004107e2
                                                            0x004107e5
                                                            0x004108cb
                                                            0x00000000
                                                            0x004108cb
                                                            0x004107eb
                                                            0x004107f0
                                                            0x004108b5
                                                            0x004108bd
                                                            0x00000000
                                                            0x004108c3
                                                            0x004107f6
                                                            0x004107f7
                                                            0x004108a2
                                                            0x004108a7
                                                            0x00000000
                                                            0x004108ac
                                                            0x004107ff
                                                            0x00410893
                                                            0x00410898
                                                            0x00000000
                                                            0x0041089d
                                                            0x00410808
                                                            0x0041080e
                                                            0x0041084b
                                                            0x0041084e
                                                            0x0041088b
                                                            0x00000000
                                                            0x0041088d
                                                            0x00410855
                                                            0x0041085b
                                                            0x00410869
                                                            0x00410882
                                                            0x00410885
                                                            0x00000000
                                                            0x00410885
                                                            0x00410815
                                                            0x0041081b
                                                            0x00410829
                                                            0x0041083f
                                                            0x00410842
                                                            0x00410848
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Window$EventMessage$PeekShow$DesktopForeground
                                                            • String ID:
                                                            • API String ID: 492945738-0
                                                            • Opcode ID: 1020dcf3a7cf4a9841e136e5eebde1db1a257eca119acd236c22988f0cc26945
                                                            • Instruction ID: ef53d117bb9aac1f46f3e2f1aa8cb95ae6132c7bce52066b60c1aa11a3ec3fe9
                                                            • Opcode Fuzzy Hash: 1020dcf3a7cf4a9841e136e5eebde1db1a257eca119acd236c22988f0cc26945
                                                            • Instruction Fuzzy Hash: 32417EB4204605EFDB255F64CC58CAABBB9FF08311700491AF85287621C779DD91DF68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417A38, Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 65%
                                                            			E00417A38(intOrPtr __edx, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				DWORD* _v12;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t27;
				void* _t33;
				DWORD* _t38;
				intOrPtr* _t40;
				void* _t42;
				void* _t48;
				long _t51;
				void* _t61;
				struct _SECURITY_ATTRIBUTES* _t62;
				intOrPtr* _t64;
				void* _t65;

				_t58 = __edx;
				_push(_t64);
				E0041871A();
				_t27 = E004186FA(E00418714());
				if(_t27 != 0) {
					_t51 = _a4;
					 *((intOrPtr*)(_t27 + 0x54)) =  *((intOrPtr*)(_t51 + 0x54));
					 *((intOrPtr*)(_t27 + 0x58)) =  *((intOrPtr*)(_t51 + 0x58));
					_t58 =  *((intOrPtr*)(_t51 + 4));
					_push(_t51);
					 *((intOrPtr*)(_t27 + 4)) =  *((intOrPtr*)(_t51 + 4));
					E00418922(_t48, _t61, _t64, __eflags);
				} else {
					_t64 = _a4;
					if(E0041874E(E00418714(), _t64) == 0) {
						ExitThread(GetLastError());
					}
					 *_t64 = GetCurrentThreadId();
				}
				_t73 =  *0x434300;
				if( *0x434300 != 0) {
					_t42 = E0041AFE0(_t73, 0x434300);
					_pop(_t51);
					_t74 = _t42;
					if(_t42 != 0) {
						 *0x434300(); // executed
					}
				}
				E004179F7(_t58, _t61, _t64, _t74); // executed
				asm("int3");
				_push(_t51);
				_push(_t48);
				_push(_t61);
				_t62 = _v0;
				_v20 = 0;
				_t75 = _t62;
				if(_t62 != 0) {
					_push(_t64);
					E0041871A();
					_t65 = E0041AE0D(1, 0x214);
					__eflags = _t65;
					if(__eflags == 0) {
						L16:
						_push(_t65);
						E004174DE(0, _t62, _t65, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E0041AD6E(_v12);
						}
						_t33 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, _t58, _t62, __eflags) + 0x6c)));
						_push(_t65);
						E004187A8(0, _t62, _t65, __eflags);
						 *(_t65 + 4) =  *(_t65 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t65 + 0x58)) = _a12;
						_t38 = _a20;
						 *((intOrPtr*)(_t65 + 0x54)) = _t62;
						__eflags = _t38;
						if(_t38 == 0) {
							_t38 =  &_a8;
						}
						_t33 = CreateThread(_v0, _a4, E00417A38, _t65, _a16, _t38); // executed
						__eflags = _t33;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L16;
						}
					}
				} else {
					_t40 = E0041AD48(_t75);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t40 = 0x16;
					E0041B335(_t58, _t62, _t64);
					_t33 = 0;
				}
				return _t33;
			}





















                                                            0x00417a38
                                                            0x00417a3d
                                                            0x00417a3e
                                                            0x00417a49
                                                            0x00417a50
                                                            0x00417a7c
                                                            0x00417a82
                                                            0x00417a88
                                                            0x00417a8b
                                                            0x00417a8e
                                                            0x00417a8f
                                                            0x00417a92
                                                            0x00417a52
                                                            0x00417a52
                                                            0x00417a63
                                                            0x00417a6c
                                                            0x00417a6c
                                                            0x00417a78
                                                            0x00417a78
                                                            0x00417a97
                                                            0x00417a9e
                                                            0x00417aa5
                                                            0x00417aaa
                                                            0x00417aab
                                                            0x00417aad
                                                            0x00417aaf
                                                            0x00417aaf
                                                            0x00417aad
                                                            0x00417ab5
                                                            0x00417aba
                                                            0x00417ac0
                                                            0x00417ac1
                                                            0x00417ac2
                                                            0x00417ac3
                                                            0x00417ac8
                                                            0x00417acb
                                                            0x00417acd
                                                            0x00417aeb
                                                            0x00417aec
                                                            0x00417afd
                                                            0x00417b01
                                                            0x00417b03
                                                            0x00417b4f
                                                            0x00417b4f
                                                            0x00417b50
                                                            0x00417b56
                                                            0x00417b59
                                                            0x00417b5e
                                                            0x00417b63
                                                            0x00417b64
                                                            0x00417b64
                                                            0x00417b05
                                                            0x00417b0a
                                                            0x00417b0d
                                                            0x00417b0e
                                                            0x00417b16
                                                            0x00417b1a
                                                            0x00417b1d
                                                            0x00417b22
                                                            0x00417b25
                                                            0x00417b27
                                                            0x00417b29
                                                            0x00417b29
                                                            0x00417b3c
                                                            0x00417b42
                                                            0x00417b44
                                                            0x00417b4c
                                                            0x00000000
                                                            0x00417b4c
                                                            0x00417b44
                                                            0x00417acf
                                                            0x00417acf
                                                            0x00417ad4
                                                            0x00417ad5
                                                            0x00417ad6
                                                            0x00417ad7
                                                            0x00417ad8
                                                            0x00417ad9
                                                            0x00417adf
                                                            0x00417ae7
                                                            0x00417ae7
                                                            0x00417b6a

                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 00417A3E
                                                              • Part of subcall function 0041871A: TlsGetValue.KERNEL32(?,00417A43), ref: 00418723
                                                              • Part of subcall function 0041871A: __decode_pointer.LIBCMT ref: 00418735
                                                              • Part of subcall function 0041871A: TlsSetValue.KERNEL32(00000000,00417A43), ref: 00418744
                                                            • ___fls_getvalue@4.LIBCMT ref: 00417A49
                                                              • Part of subcall function 004186FA: TlsGetValue.KERNEL32(?,?,00417A4E,00000000), ref: 00418708
                                                            • ___fls_setvalue@8.LIBCMT ref: 00417A5C
                                                              • Part of subcall function 0041874E: __decode_pointer.LIBCMT ref: 0041875F
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00417A65
                                                            • ExitThread.KERNEL32 ref: 00417A6C
                                                            • GetCurrentThreadId.KERNEL32 ref: 00417A72
                                                            • __freefls@4.LIBCMT ref: 00417A92
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00417AA5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                            • String ID:
                                                            • API String ID: 1925773019-0
                                                            • Opcode ID: ad25c5c030c8e423ef252c91bc7494b41323f4b5739d17432caa5a6650f4ba42
                                                            • Instruction ID: 23fa8d03a6744e6ba2d29b3b09d89d6d24b2700031a043de03642765a198108a
                                                            • Opcode Fuzzy Hash: ad25c5c030c8e423ef252c91bc7494b41323f4b5739d17432caa5a6650f4ba42
                                                            • Instruction Fuzzy Hash: F8014474504201ABC714AF72DC499DE7BB9AF44359720852EB80587252DF3CD9C2C66D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040255F, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 431COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 608 40255f-4025a0 call 416b54 call 40222c 613 4025a2-4025a5 608->613 614 4025a8-4025ab 608->614 613->614 615 4025c5-4025e0 614->615 616 4025ad-4025b6 614->616 619 4025e3-4025e9 615->619 617 4025b8-4025ba 616->617 618 4025be-4025c0 616->618 617->618 620 402aec-402afe 618->620 621 4026cf-4026e2 619->621 622 4025ef-4025f3 619->622 630 4026e4-4026f3 call 40232f 621->630 631 402708-402736 call 4019b6 call 408bd0 621->631 623 4025f5-4025f8 622->623 624 4025fb-40260a 622->624 623->624 626 402634-402639 624->626 627 40260c-40262f call 4022af call 40251f call 408bc5 624->627 628 402647-40268b call 4022af call 40251f call 408bc5 call 4023e2 626->628 629 40263b-402645 626->629 650 4026c5-4026ca 627->650 633 40268e-4026a4 628->633 629->628 629->633 645 4026f5-4026f9 630->645 658 402743 631->658 659 402738-402741 call 40acf5 631->659 640 4026a7-4026ae 633->640 646 4026b0-4026c0 call 40220a 640->646 647 4026c2 640->647 652 402701-402703 645->652 653 4026fb-4026fd 645->653 646->640 647->650 650->619 652->620 653->652 662 402745-402766 call 40222c call 40ac22 658->662 659->662 671 402769-40278c call 40ac17 662->671 674 4027c4-4027c7 671->674 675 40278e-402797 671->675 676 4027c9-4027d2 674->676 677 4027ff-40282a call 408bd0 674->677 678 402799-40279b 675->678 679 40279f-4027bf call 40246d call 40232f 675->679 682 4027d4-4027d6 676->682 683 4027da-4027e4 call 40246d 676->683 687 402838 677->687 688 40282c-402836 call 402b81 677->688 678->679 679->645 682->683 690 4027e9-4027f8 call 40232f 683->690 693 40283b-402856 call 40222c 687->693 688->693 690->677 699 402864-402883 call 402f5c 693->699 700 402858-402861 693->700 702 402888-40288c 699->702 700->699 703 4028e3-4028e6 702->703 704 40288e-402897 702->704 705 402aa7-402ab0 703->705 706 4028ec-40292b call 40242e call 402280 703->706 707 402899-40289b 704->707 708 40289f-4028a8 704->708 711 402ab2-402ab4 705->711 712 402ab8-402adc 705->712 720 40293b-402971 call 401adb 706->720 721 40292d-402938 706->721 707->708 709 4028b0-4028d4 call 40246d call 40232f 708->709 710 4028aa-4028ac 708->710 724 4028d6-4028d8 709->724 725 4028dc-4028de 709->725 710->709 711->712 712->671 727 4029c2-4029c8 720->727 728 402973 720->728 721->720 724->725 725->620 729 4029e3-4029e5 727->729 730 4029ca-4029cd 727->730 731 402976-402978 728->731 733 4029f0-4029fc 729->733 734 4029e7-4029ee 729->734 732 4029cf-4029df call 402ef1 730->732 731->732 737 40297a-40297c 732->737 743 4029e1 732->743 733->731 735 402a02-402a9f 733->735 734->737 735->705 742 402aa1-402aa3 735->742 739 402984-40298d 737->739 740 40297e-402980 737->740 739->675 744 402993-402999 739->744 740->739 742->705 746 4029a2-4029a4 743->746 747 4029a8-4029b1 743->747 744->675 746->747 749 4029b3-4029b5 747->749 750 4029b9-4029bd 747->750 749->750 750->712
                                                            C-Code - Quality: 87%
                                                            			E0040255F(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t241;
				signed int _t244;
				signed int _t245;
				void* _t246;
				intOrPtr _t248;
				signed int _t255;
				signed int _t259;
				intOrPtr _t261;
				signed int _t262;
				signed int _t263;
				signed int _t273;
				signed int _t274;
				intOrPtr _t278;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t286;
				signed int _t287;
				signed int _t292;
				signed int _t295;
				signed int _t298;
				signed int _t299;
				signed int _t302;
				signed int _t308;
				signed int _t311;
				signed int _t316;
				intOrPtr _t323;
				signed int _t338;
				signed int _t339;
				intOrPtr _t341;
				signed int _t361;
				intOrPtr _t391;
				intOrPtr _t399;
				signed int _t402;
				signed int _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr _t408;
				signed int _t411;
				void* _t414;
				signed int _t415;
				signed int _t417;
				intOrPtr _t418;
				void* _t419;
				void* _t429;

				_t399 = __edx;
				_push(0xb8);
				_t241 = E00416B54(E00420E32, __ebx, __edi, __esi);
				_t402 = 0;
				 *((intOrPtr*)(_t419 - 4)) = 0;
				 *((char*)(_t419 + 8)) = _t241 & 0xffffff00 |  *(_t419 + 0x6c) != 0x00000000;
				E0040222C(_t419 + 0x70,  *(_t419 + 0x70));
				_t338 =  *(_t419 + 0x60);
				 *((char*)(_t419 + 0x6f)) =  *((intOrPtr*)(_t419 + 0x68)) == 0xffffffff;
				 *(_t419 + 0x44) = 0;
				 *((intOrPtr*)(_t419 + 0x48)) = 0;
				if( *((char*)(_t419 + 0x6f)) != 0) {
					 *((intOrPtr*)(_t419 + 0x68)) =  *((intOrPtr*)(_t338 + 0x7c));
				}
				if( *((intOrPtr*)(_t419 + 0x68)) != _t402) {
					 *(_t419 + 0x30) = _t402;
					 *(_t419 + 0x34) = _t402;
					 *(_t419 + 0x38) = _t402;
					 *((intOrPtr*)(_t419 + 0x3c)) = 4;
					 *((intOrPtr*)(_t419 + 0x2c)) = 0x423428;
					 *((char*)(_t419 - 4)) = 2;
					 *(_t419 + 0x54) = _t402;
					while(1) {
						_t244 =  *(_t419 + 0x54);
						__eflags = _t244 -  *((intOrPtr*)(_t419 + 0x68));
						if(_t244 >=  *((intOrPtr*)(_t419 + 0x68))) {
							break;
						}
						__eflags =  *((char*)(_t419 + 0x6f));
						if( *((char*)(_t419 + 0x6f)) == 0) {
							_t244 =  *( *(_t419 + 0x64) + _t244 * 4);
						}
						_t417 =  *( *((intOrPtr*)(_t338 + 0x1c8)) + _t244 * 4);
						 *(_t419 + 0x4c) = _t244;
						__eflags = _t417 - 0xffffffff;
						if(__eflags != 0) {
							_t316 =  *(_t419 + 0x34);
							__eflags = _t316 - _t402;
							if(__eflags == 0) {
								L15:
								_push(_t417);
								_push(0xffffffff);
								_push(E004022AF(_t338, _t419 - 0x38, _t399, _t402, _t417, __eflags));
								_t49 = _t419 + 0x2c; // 0x423428
								 *((char*)(_t419 - 4)) = 4;
								E0040251F(_t338, _t49, _t402, _t417, __eflags);
								 *((char*)(_t419 - 4)) = 2;
								E00408BC5(_t419 - 0x30);
								_t391 = E004023E2( *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x58)) + _t417 * 4)));
								_t58 = _t419 + 0x44;
								 *_t58 =  *(_t419 + 0x44) + _t391;
								__eflags =  *_t58;
								_t323 =  *((intOrPtr*)( *(_t419 + 0x38) +  *(_t419 + 0x34) * 4 - 4));
								 *((intOrPtr*)(_t323 + 0x20)) = _t391;
								asm("adc [ebp+0x48], edx");
								 *((intOrPtr*)(_t323 + 0x24)) = _t399;
								L16:
								_t408 =  *((intOrPtr*)( *(_t419 + 0x38) +  *(_t419 + 0x34) * 4 - 4));
								_t341 =  *((intOrPtr*)( *((intOrPtr*)( *(_t419 + 0x60) + 0x1b4)) + _t417 * 4));
								_t418 =  *((intOrPtr*)(_t408 + 0x10));
								while(1) {
									_t328 =  *(_t419 + 0x4c) - _t341;
									__eflags = _t418 -  *(_t419 + 0x4c) - _t341;
									if(_t418 >  *(_t419 + 0x4c) - _t341) {
										break;
									}
									_t78 = _t408 + 8; // 0xa
									E0040220A(_t78, (_t328 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t418 = _t418 + 1;
								}
								_t338 =  *(_t419 + 0x60);
								goto L20;
							}
							__eflags = _t417 -  *((intOrPtr*)( *((intOrPtr*)( *(_t419 + 0x38) + _t316 * 4 - 4)) + 4));
							if(__eflags == 0) {
								goto L16;
							}
							goto L15;
						} else {
							_push(_t417);
							_push(_t244);
							_push(E004022AF(_t338, _t419 - 0x38, _t399, _t402, _t417, __eflags));
							_t38 = _t419 + 0x2c; // 0x423428
							 *((char*)(_t419 - 4)) = 3;
							E0040251F(_t338, _t38, _t402, _t417, __eflags);
							 *((char*)(_t419 - 4)) = 2;
							E00408BC5(_t419 - 0x30);
							L20:
							 *(_t419 + 0x54) =  *(_t419 + 0x54) + 1;
							_t402 = 0;
							continue;
						}
					}
					_t245 =  *(_t419 + 0x70);
					_t246 =  *((intOrPtr*)( *_t245 + 0xc))(_t245,  *(_t419 + 0x44),  *((intOrPtr*)(_t419 + 0x48)));
					_t410 = _t246;
					__eflags = _t246 - _t402;
					if(__eflags == 0) {
						E004019B6(_t419 - 0xc4, __eflags, 1);
						 *((char*)(_t419 - 4)) = 5;
						 *(_t419 + 0x1c) = _t402;
						 *(_t419 + 0x20) = _t402;
						 *(_t419 + 0x24) = _t402;
						 *(_t419 + 0x28) = _t402;
						_t248 = E00408BD0(_t338, _t402, __eflags, 0x38);
						 *((intOrPtr*)(_t419 + 0x68)) = _t248;
						 *((char*)(_t419 - 4)) = 6;
						__eflags = _t248 - _t402;
						if(_t248 == _t402) {
							_t411 = 0;
							__eflags = 0;
						} else {
							_t411 = E0040ACF5(_t248);
						}
						 *((char*)(_t419 - 4)) = 5;
						 *((intOrPtr*)(_t419 + 0x48)) = _t411;
						E0040222C(_t419 + 0x50, _t411);
						_push(_t402);
						 *((char*)(_t419 - 4)) = 7;
						E0040AC22(_t411,  *(_t419 + 0x70));
						_t403 = 0;
						__eflags = 0;
						 *(_t419 + 0x4c) = 0;
						while(1) {
							 *(_t411 + 0x28) =  *(_t419 + 0x24);
							 *(_t411 + 0x2c) =  *(_t419 + 0x28);
							 *(_t411 + 0x20) =  *(_t419 + 0x1c);
							 *(_t411 + 0x24) =  *(_t419 + 0x20);
							_t255 = E0040AC17(_t411);
							_t412 = _t255;
							__eflags = _t255;
							if(_t255 != 0) {
								break;
							}
							__eflags = _t403 -  *(_t419 + 0x34);
							if(__eflags < 0) {
								_t404 =  *((intOrPtr*)( *(_t419 + 0x38) + _t403 * 4));
								 *((intOrPtr*)(_t419 + 0xc)) =  *((intOrPtr*)(_t404 + 0x20));
								 *((intOrPtr*)(_t419 + 0x10)) =  *((intOrPtr*)(_t404 + 0x24));
								 *((intOrPtr*)(_t419 + 0x14)) = 0;
								 *((intOrPtr*)(_t419 + 0x18)) = 0;
								_t259 = E00408BD0(_t338, _t404, __eflags, 0x38);
								 *(_t419 + 0x40) = _t259;
								 *((char*)(_t419 - 4)) = 8;
								__eflags = _t259;
								if(__eflags == 0) {
									 *(_t419 + 0x54) = 0;
								} else {
									 *(_t419 + 0x54) = E00402B81(_t338, _t259, _t404, 0, __eflags);
								}
								_t350 = _t419 + 0x6c;
								 *((char*)(_t419 - 4)) = 7;
								E0040222C(_t419 + 0x6c,  *(_t419 + 0x54));
								_t261 =  *_t404;
								 *((char*)(_t419 - 4)) = 9;
								_t414 = _t338 + 0x10;
								__eflags = _t261 - 0xffffffff;
								if(_t261 == 0xffffffff) {
									_t350 =  *(_t414 + 0x1a4);
									_t261 =  *((intOrPtr*)( *(_t414 + 0x1a4) +  *(_t404 + 4) * 4));
								}
								__eflags =  *(_t338 + 0x1e4);
								_t262 = E00402F5C(_t338,  *(_t419 + 0x54), _t404, _t414, 0, _t261, _t404 + 8,  *(_t419 + 0x70),  *((intOrPtr*)(_t419 + 8)), (_t350 & 0xffffff00 |  *(_t338 + 0x1e4) != 0x00000000) & 0x000000ff); // executed
								_t339 = _t262;
								__eflags = _t339;
								if(_t339 == 0) {
									__eflags =  *_t404 - 0xffffffff;
									if( *_t404 != 0xffffffff) {
										L76:
										_t263 =  *(_t419 + 0x6c);
										 *((char*)(_t419 - 4)) = 7;
										__eflags = _t263;
										if(_t263 != 0) {
											 *((intOrPtr*)( *_t263 + 8))(_t263);
										}
										L78:
										 *(_t419 + 0x4c) =  *(_t419 + 0x4c) + 1;
										 *(_t419 + 0x24) =  *(_t419 + 0x24) +  *((intOrPtr*)(_t419 + 0xc));
										_t338 =  *(_t419 + 0x60);
										asm("adc [ebp+0x28], eax");
										 *(_t419 + 0x1c) =  *(_t419 + 0x1c) +  *((intOrPtr*)(_t419 + 0x14));
										_t411 =  *((intOrPtr*)(_t419 + 0x48));
										asm("adc [ebp+0x20], eax");
										_t403 =  *(_t419 + 0x4c);
										continue;
									}
									_t406 =  *(_t404 + 4);
									 *(_t419 + 0x40) =  *( *((intOrPtr*)(_t414 + 0x48)) + _t406 * 4);
									 *((intOrPtr*)(_t419 + 0x14)) = E0040242E(_t414, _t406);
									_t338 =  *( *((intOrPtr*)(_t414 + 0x190)) + _t406 * 4);
									 *((intOrPtr*)(_t419 + 0x18)) = _t399;
									_t273 = E00402280(_t414, _t406, 0);
									 *(_t419 + 0x64) =  *(_t419 + 0x64) & 0x00000000;
									_t403 = _t273;
									 *((intOrPtr*)(_t419 + 4)) = _t399;
									_t274 =  *(_t419 + 0x70);
									 *((char*)(_t419 - 4)) = 0xa;
									__eflags = _t274;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t274))(_t274, 0x424174, _t419 + 0x64);
									}
									_t399 = _t419 + 0x6b;
									_push(_t399);
									_push( *(_t419 + 0x64));
									_push( *(_t419 + 0x50));
									 *((char*)(_t419 - 4)) = 0xb;
									_push( *(_t419 + 0x6c));
									_push( *(_t419 + 0x40));
									_push( *((intOrPtr*)(_t414 + 0xc)) + _t338 * 8);
									_push( *((intOrPtr*)(_t419 + 4)));
									_push(_t403);
									_push( *((intOrPtr*)( *(_t419 + 0x60) + 8)));
									_t415 = E00401ADB(_t338, _t419 - 0xc4, _t403, _t414, __eflags);
									__eflags = _t415 - 1;
									if(_t415 != 1) {
										__eflags = _t415 - 0x80004001;
										if(_t415 != 0x80004001) {
											__eflags = _t415;
											if(_t415 == 0) {
												_t361 =  *(_t419 + 0x54);
												_t278 =  *((intOrPtr*)(_t361 + 0x18));
												__eflags =  *((intOrPtr*)(_t361 + 0x28)) -  *((intOrPtr*)(_t278 + 8));
												if( *((intOrPtr*)(_t361 + 0x28)) !=  *((intOrPtr*)(_t278 + 8))) {
													goto L56;
												}
												 *((intOrPtr*)(_t419 - 4)) = 9;
												_t295 =  *(_t419 + 0x64);
												__eflags = _t295;
												if(_t295 != 0) {
													 *((intOrPtr*)( *_t295 + 8))(_t295);
												}
												goto L76;
											}
											_t281 =  *(_t419 + 0x64);
											 *((char*)(_t419 - 4)) = 9;
											goto L57;
										}
										_t361 =  *(_t419 + 0x54);
										_push(1);
										goto L68;
									} else {
										_t361 =  *(_t419 + 0x54);
										L56:
										_push(2);
										L68:
										_t415 = E00402EF1(_t338, _t361, _t403, _t419);
										_t281 =  *(_t419 + 0x64);
										 *((char*)(_t419 - 4)) = 9;
										__eflags = _t415;
										if(_t415 != 0) {
											L57:
											__eflags = _t281;
											if(_t281 != 0) {
												 *((intOrPtr*)( *_t281 + 8))(_t281);
											}
											_t282 =  *(_t419 + 0x6c);
											 *((char*)(_t419 - 4)) = 7;
											__eflags = _t282;
											if(_t282 != 0) {
												 *((intOrPtr*)( *_t282 + 8))(_t282);
											}
											break;
										}
										__eflags = _t281;
										if(_t281 != 0) {
											 *((intOrPtr*)( *_t281 + 8))(_t281);
										}
										_t292 =  *(_t419 + 0x6c);
										 *((char*)(_t419 - 4)) = 7;
										__eflags = _t292;
										if(_t292 != 0) {
											 *((intOrPtr*)( *_t292 + 8))(_t292);
										}
										 *((char*)(_t419 - 4)) = 7;
										goto L78;
									}
								} else {
									_t298 =  *(_t419 + 0x6c);
									 *((char*)(_t419 - 4)) = 7;
									__eflags = _t298;
									if(_t298 != 0) {
										 *((intOrPtr*)( *_t298 + 8))(_t298);
									}
									_t299 =  *(_t419 + 0x50);
									 *((char*)(_t419 - 4)) = 5;
									__eflags = _t299;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t299 + 8))(_t299);
									}
									 *((char*)(_t419 - 4)) = 2;
									E0040246D(_t419 - 0xc4, _t414, __eflags);
									_t167 = _t419 + 0x2c; // 0x423428
									 *((char*)(_t419 - 4)) = 1;
									E0040232F(_t339, _t167, _t404, _t414, __eflags);
									_t302 =  *(_t419 + 0x70);
									 *((char*)(_t419 - 4)) = 0;
									__eflags = _t302;
									if(_t302 != 0) {
										 *((intOrPtr*)( *_t302 + 8))(_t302);
									}
									_t287 = _t339;
									goto L79;
								}
							}
							_t308 =  *(_t419 + 0x50);
							 *((char*)(_t419 - 4)) = 5;
							__eflags = _t308;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t308 + 8))(_t308);
							}
							 *((char*)(_t419 - 4)) = 2;
							E0040246D(_t419 - 0xc4, _t412, __eflags);
							_t127 = _t419 + 0x2c; // 0x423428
							 *((char*)(_t419 - 4)) = 1;
							E0040232F(_t338, _t127, _t403, _t412, __eflags);
							_t311 =  *(_t419 + 0x70);
							__eflags = _t311;
							goto L4;
						}
						_t283 =  *(_t419 + 0x50);
						 *((char*)(_t419 - 4)) = 5;
						__eflags = _t283;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t283 + 8))(_t283);
						}
						 *((char*)(_t419 - 4)) = 2;
						E0040246D(_t419 - 0xc4, _t415, __eflags);
						_t118 = _t419 + 0x2c; // 0x423428
						 *((char*)(_t419 - 4)) = 1;
						E0040232F(_t338, _t118, _t403, _t415, __eflags);
						_t286 =  *(_t419 + 0x70);
						__eflags = _t286;
						L23:
						 *((char*)(_t419 - 4)) = 0;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t286 + 8))(_t286);
						}
						_t287 = _t415;
						goto L79;
					}
					_t86 = _t419 + 0x2c; // 0x423428
					 *((char*)(_t419 - 4)) = 1;
					E0040232F(_t338, _t86, _t402, _t410, __eflags);
					_t286 =  *(_t419 + 0x70);
					__eflags = _t286 - _t402;
					goto L23;
				} else {
					_t311 =  *(_t419 + 0x70);
					_t429 = _t311 - _t402;
					L4:
					 *((char*)(_t419 - 4)) = 0;
					if(_t429 != 0) {
						 *((intOrPtr*)( *_t311 + 8))(_t311);
					}
					_t287 = 0;
					L79:
					 *[fs:0x0] =  *((intOrPtr*)(_t419 - 0xc));
					return _t287;
				}
			}

















































                                                            0x0040255f
                                                            0x00402563
                                                            0x0040256d
                                                            0x00402575
                                                            0x00402580
                                                            0x00402583
                                                            0x00402586
                                                            0x0040258f
                                                            0x00402592
                                                            0x0040259a
                                                            0x0040259d
                                                            0x004025a0
                                                            0x004025a5
                                                            0x004025a5
                                                            0x004025ab
                                                            0x004025c5
                                                            0x004025c8
                                                            0x004025cb
                                                            0x004025ce
                                                            0x004025d5
                                                            0x004025dc
                                                            0x004025e0
                                                            0x004025e3
                                                            0x004025e3
                                                            0x004025e6
                                                            0x004025e9
                                                            0x00000000
                                                            0x00000000
                                                            0x004025ef
                                                            0x004025f3
                                                            0x004025f8
                                                            0x004025f8
                                                            0x00402601
                                                            0x00402604
                                                            0x00402607
                                                            0x0040260a
                                                            0x00402634
                                                            0x00402637
                                                            0x00402639
                                                            0x00402647
                                                            0x00402647
                                                            0x00402648
                                                            0x00402652
                                                            0x00402653
                                                            0x00402656
                                                            0x0040265a
                                                            0x00402662
                                                            0x00402666
                                                            0x00402679
                                                            0x0040267e
                                                            0x0040267e
                                                            0x0040267e
                                                            0x00402681
                                                            0x00402685
                                                            0x00402688
                                                            0x0040268b
                                                            0x0040268e
                                                            0x00402694
                                                            0x004026a1
                                                            0x004026a4
                                                            0x004026a7
                                                            0x004026aa
                                                            0x004026ac
                                                            0x004026ae
                                                            0x00000000
                                                            0x00000000
                                                            0x004026b7
                                                            0x004026ba
                                                            0x004026bf
                                                            0x004026bf
                                                            0x004026c2
                                                            0x00000000
                                                            0x004026c2
                                                            0x00402642
                                                            0x00402645
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040260c
                                                            0x0040260c
                                                            0x0040260d
                                                            0x00402616
                                                            0x00402617
                                                            0x0040261a
                                                            0x0040261e
                                                            0x00402626
                                                            0x0040262a
                                                            0x004026c5
                                                            0x004026c5
                                                            0x004026c8
                                                            0x00000000
                                                            0x004026c8
                                                            0x0040260a
                                                            0x004026d2
                                                            0x004026db
                                                            0x004026de
                                                            0x004026e0
                                                            0x004026e2
                                                            0x00402710
                                                            0x00402717
                                                            0x0040271b
                                                            0x0040271e
                                                            0x00402721
                                                            0x00402724
                                                            0x00402727
                                                            0x0040272d
                                                            0x00402730
                                                            0x00402734
                                                            0x00402736
                                                            0x00402743
                                                            0x00402743
                                                            0x00402738
                                                            0x0040273f
                                                            0x0040273f
                                                            0x00402749
                                                            0x0040274d
                                                            0x00402750
                                                            0x00402755
                                                            0x0040275b
                                                            0x0040275f
                                                            0x00402764
                                                            0x00402764
                                                            0x00402766
                                                            0x00402769
                                                            0x0040276c
                                                            0x00402772
                                                            0x00402778
                                                            0x00402780
                                                            0x00402783
                                                            0x00402788
                                                            0x0040278a
                                                            0x0040278c
                                                            0x00000000
                                                            0x00000000
                                                            0x004027c4
                                                            0x004027c7
                                                            0x00402802
                                                            0x00402808
                                                            0x00402812
                                                            0x00402815
                                                            0x00402818
                                                            0x0040281b
                                                            0x00402821
                                                            0x00402824
                                                            0x00402828
                                                            0x0040282a
                                                            0x00402838
                                                            0x0040282c
                                                            0x00402833
                                                            0x00402833
                                                            0x0040283e
                                                            0x00402841
                                                            0x00402845
                                                            0x0040284a
                                                            0x0040284c
                                                            0x00402850
                                                            0x00402853
                                                            0x00402856
                                                            0x0040285b
                                                            0x00402861
                                                            0x00402861
                                                            0x00402864
                                                            0x00402883
                                                            0x00402888
                                                            0x0040288a
                                                            0x0040288c
                                                            0x004028e3
                                                            0x004028e6
                                                            0x00402aa7
                                                            0x00402aa7
                                                            0x00402aaa
                                                            0x00402aae
                                                            0x00402ab0
                                                            0x00402ab5
                                                            0x00402ab5
                                                            0x00402ab8
                                                            0x00402ab8
                                                            0x00402abe
                                                            0x00402ac4
                                                            0x00402ac7
                                                            0x00402acd
                                                            0x00402ad3
                                                            0x00402ad6
                                                            0x00402ad9
                                                            0x00000000
                                                            0x00402ad9
                                                            0x004028ec
                                                            0x004028f8
                                                            0x00402900
                                                            0x00402909
                                                            0x00402911
                                                            0x00402914
                                                            0x00402919
                                                            0x0040291d
                                                            0x0040291f
                                                            0x00402922
                                                            0x00402925
                                                            0x00402929
                                                            0x0040292b
                                                            0x00402939
                                                            0x00402939
                                                            0x00402944
                                                            0x00402947
                                                            0x00402948
                                                            0x0040294e
                                                            0x00402951
                                                            0x00402955
                                                            0x00402958
                                                            0x0040295b
                                                            0x0040295c
                                                            0x0040295f
                                                            0x00402960
                                                            0x0040296c
                                                            0x0040296e
                                                            0x00402971
                                                            0x004029c2
                                                            0x004029c8
                                                            0x004029e3
                                                            0x004029e5
                                                            0x004029f0
                                                            0x004029f3
                                                            0x004029f9
                                                            0x004029fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00402a02
                                                            0x00402a9a
                                                            0x00402a9d
                                                            0x00402a9f
                                                            0x00402aa4
                                                            0x00402aa4
                                                            0x00000000
                                                            0x00402a9f
                                                            0x004029e7
                                                            0x004029ea
                                                            0x00000000
                                                            0x004029ea
                                                            0x004029ca
                                                            0x004029cd
                                                            0x00000000
                                                            0x00402973
                                                            0x00402973
                                                            0x00402976
                                                            0x00402976
                                                            0x004029cf
                                                            0x004029d4
                                                            0x004029d6
                                                            0x004029d9
                                                            0x004029dd
                                                            0x004029df
                                                            0x0040297a
                                                            0x0040297a
                                                            0x0040297c
                                                            0x00402981
                                                            0x00402981
                                                            0x00402984
                                                            0x00402987
                                                            0x0040298b
                                                            0x0040298d
                                                            0x00402996
                                                            0x00402996
                                                            0x00000000
                                                            0x0040298d
                                                            0x0040299e
                                                            0x004029a0
                                                            0x004029a5
                                                            0x004029a5
                                                            0x004029a8
                                                            0x004029ab
                                                            0x004029af
                                                            0x004029b1
                                                            0x004029b6
                                                            0x004029b6
                                                            0x004029b9
                                                            0x00000000
                                                            0x004029b9
                                                            0x0040288e
                                                            0x0040288e
                                                            0x00402891
                                                            0x00402895
                                                            0x00402897
                                                            0x0040289c
                                                            0x0040289c
                                                            0x0040289f
                                                            0x004028a2
                                                            0x004028a6
                                                            0x004028a8
                                                            0x004028ad
                                                            0x004028ad
                                                            0x004028b6
                                                            0x004028ba
                                                            0x004028bf
                                                            0x004028c2
                                                            0x004028c6
                                                            0x004028cb
                                                            0x004028ce
                                                            0x004028d2
                                                            0x004028d4
                                                            0x004028d9
                                                            0x004028d9
                                                            0x004028dc
                                                            0x00000000
                                                            0x004028dc
                                                            0x0040288c
                                                            0x004027c9
                                                            0x004027cc
                                                            0x004027d0
                                                            0x004027d2
                                                            0x004027d7
                                                            0x004027d7
                                                            0x004027e0
                                                            0x004027e4
                                                            0x004027e9
                                                            0x004027ec
                                                            0x004027f0
                                                            0x004027f5
                                                            0x004027f8
                                                            0x00000000
                                                            0x004027f8
                                                            0x0040278e
                                                            0x00402791
                                                            0x00402795
                                                            0x00402797
                                                            0x0040279c
                                                            0x0040279c
                                                            0x004027a5
                                                            0x004027a9
                                                            0x004027ae
                                                            0x004027b1
                                                            0x004027b5
                                                            0x004027ba
                                                            0x004027bd
                                                            0x004026f5
                                                            0x004026f5
                                                            0x004026f9
                                                            0x004026fe
                                                            0x004026fe
                                                            0x00402701
                                                            0x00000000
                                                            0x00402701
                                                            0x004026e4
                                                            0x004026e7
                                                            0x004026eb
                                                            0x004026f0
                                                            0x004026f3
                                                            0x00000000
                                                            0x004025ad
                                                            0x004025ad
                                                            0x004025b0
                                                            0x004025b2
                                                            0x004025b2
                                                            0x004025b6
                                                            0x004025bb
                                                            0x004025bb
                                                            0x004025be
                                                            0x00402aec
                                                            0x00402aef
                                                            0x00402afe
                                                            0x00402afe

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Task_impl$H_prolog3_catch
                                                            • String ID: (4B
                                                            • API String ID: 3201307039-3941014785
                                                            • Opcode ID: 7dd698598920f49c7f00bcb4c319b7e72603d0c720e5309275cb43d7f27d00b5
                                                            • Instruction ID: f0288910dd9c909d91c94d4f3f33727955864a049ee0700389af622be2fa39fd
                                                            • Opcode Fuzzy Hash: 7dd698598920f49c7f00bcb4c319b7e72603d0c720e5309275cb43d7f27d00b5
                                                            • Instruction Fuzzy Hash: DD026C70A00248DFDB11DF68CA88A9D7BB5AF58304F1441AAFC09A73D2CBB9ED45CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040543E, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 272COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 751 40543e-40554d call 416b21 call 4053bf call 4019b6 758 405553-40555f 751->758 759 4056af-4056b9 call 40246d 751->759 760 405569-4055af call 404e08 call 408bfb call 4023e2 758->760 763 4056be-40571d call 408bc5 * 4 call 403264 call 408bc5 * 3 759->763 774 405734 call 403c2e 760->774 775 4055b5-4055b7 760->775 811 40571f-405731 763->811 780 405739-405742 774->780 775->774 778 4055bd-4055cf call 40140a call 408bd0 775->778 794 4055d1-4055dc 778->794 795 4055de 778->795 783 405744-405746 780->783 784 40574a-4057bb call 40246d call 408bc5 * 4 call 403264 call 408bc5 * 3 780->784 783->784 784->811 798 4055e0-40562f call 40222c call 401adb 794->798 795->798 798->780 813 405635-40563b 798->813 814 405657-405660 813->814 815 40563d-405651 call 40c9e9 813->815 818 405662 814->818 819 40568f-405698 814->819 815->774 815->814 823 405665-40568a 818->823 824 4056a0-4056a9 819->824 825 40569a-40569c 819->825 823->823 827 40568c 823->827 824->759 824->760 825->824 827->819
                                                            C-Code - Quality: 90%
                                                            			E0040543E(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				intOrPtr _t199;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr* _t220;
				intOrPtr _t227;
				intOrPtr* _t230;
				intOrPtr _t233;
				void* _t237;
				intOrPtr _t242;
				intOrPtr _t277;
				signed int _t279;
				intOrPtr _t280;
				intOrPtr* _t282;
				intOrPtr* _t286;
				intOrPtr _t288;
				intOrPtr* _t290;
				intOrPtr* _t291;
				void* _t296;

				_t296 = __eflags;
				_push(0x10c);
				E00416B21(E00421214, __ebx, __edi, __esi);
				_t282 = __ecx;
				 *((intOrPtr*)(_t291 + 0x1c)) = 0;
				 *((intOrPtr*)(_t291 + 0x20)) = 0;
				 *((intOrPtr*)(_t291 + 0x24)) = 0;
				 *((intOrPtr*)(_t291 + 0x28)) = 8;
				 *((intOrPtr*)(_t291 + 0x18)) = 0x423384;
				_t279 = 0x42341c;
				 *(_t291 - 4) = 0;
				 *((intOrPtr*)(_t291 - 0x58)) = 0;
				 *((intOrPtr*)(_t291 - 0x54)) = 0;
				 *((intOrPtr*)(_t291 - 0x50)) = 0;
				 *((intOrPtr*)(_t291 - 0x4c)) = 1;
				 *(_t291 - 0x5c) = 0x42341c;
				_t242 = 4;
				 *((intOrPtr*)(_t291 - 0x6c)) = 0;
				 *((intOrPtr*)(_t291 - 0x68)) = 0;
				 *((intOrPtr*)(_t291 - 0x64)) = 0;
				 *((intOrPtr*)(_t291 - 0x60)) = _t242;
				 *((intOrPtr*)(_t291 - 0x70)) = 0x423358;
				 *((intOrPtr*)(_t291 + 0x30)) = 0;
				 *((intOrPtr*)(_t291 + 0x34)) = 0;
				 *((intOrPtr*)(_t291 + 0x38)) = 0;
				 *((intOrPtr*)(_t291 + 0x3c)) = _t242;
				 *((intOrPtr*)(_t291 + 0x2c)) = 0x423498;
				 *((intOrPtr*)(_t291 - 0x44)) = 0;
				 *((intOrPtr*)(_t291 - 0x40)) = 0;
				 *((intOrPtr*)(_t291 - 0x3c)) = 0;
				 *((intOrPtr*)(_t291 - 0x38)) = _t242;
				 *((intOrPtr*)(_t291 - 0x48)) = 0x423358;
				 *((intOrPtr*)(_t291 - 0x1c)) = 0;
				 *((intOrPtr*)(_t291 - 0x18)) = 0;
				 *((intOrPtr*)(_t291 - 0x14)) = 0;
				 *((intOrPtr*)(_t291 - 0x10)) = 8;
				 *((intOrPtr*)(_t291 - 0x20)) = 0x423384;
				 *((intOrPtr*)(_t291 - 0x30)) = 0;
				 *((intOrPtr*)(_t291 - 0x2c)) = 0;
				 *((intOrPtr*)(_t291 - 0x28)) = 0;
				 *((intOrPtr*)(_t291 - 0x24)) = 1;
				 *(_t291 - 0x34) = 0x42341c;
				 *((intOrPtr*)(_t291 + 4)) = 0;
				 *((intOrPtr*)(_t291 + 8)) = 0;
				 *((intOrPtr*)(_t291 + 0xc)) = 0;
				 *((intOrPtr*)(_t291 + 0x10)) = _t242;
				 *_t291 = 0x423358;
				_t286 =  *((intOrPtr*)(_t291 + 0x64));
				 *(_t291 - 4) = 7;
				E004053BF(0, __ecx, 0x42341c, 0, _t286, _t291 + 0x18, _t291 - 0x5c, _t291 - 0x70, _t291 + 0x2c, _t291 - 0x48, _t291 - 0x20, _t291 - 0x34, _t291);
				 *(_t291 + 0x40) = 0;
				E004019B6(_t291 - 0x118, _t296, 1);
				 *((intOrPtr*)(_t291 + 0x44)) =  *_t286 +  *((intOrPtr*)(_t291 + 0x5c));
				asm("adc eax, [ebp+0x60]");
				_t297 =  *((intOrPtr*)(_t291 + 0x34));
				 *((intOrPtr*)(_t291 + 0x48)) =  *((intOrPtr*)(_t286 + 4));
				 *(_t291 + 0x60) = 0;
				if( *((intOrPtr*)(_t291 + 0x34)) <= 0) {
					L17:
					 *(_t291 - 4) = 7;
					E0040246D(_t291 - 0x118, _t286, _t307); // executed
					 *(_t291 - 4) = 6;
					E00408BC5(_t291);
					 *(_t291 - 4) = 5;
					E00408BC5(_t291 - 0x34);
					 *(_t291 - 4) = 4;
					E00408BC5(_t291 - 0x20);
					 *(_t291 - 4) = 3;
					E00408BC5(_t291 - 0x48);
					 *(_t291 - 4) = 2;
					E00403264(0, _t291 + 0x2c, _t282, _t286, _t307);
					 *(_t291 - 4) = 1;
					E00408BC5(_t291 - 0x70);
					 *(_t291 - 4) = 0;
					E00408BC5(_t291 - 0x5c);
					 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
					E00408BC5(_t291 + 0x18);
					_t199 = 0;
					L18:
					 *[fs:0x0] =  *((intOrPtr*)(_t291 - 0xc));
					return _t199;
				}
				 *((intOrPtr*)(_t291 - 0x88)) = 0;
				 *((intOrPtr*)(_t291 - 0x84)) = 0;
				 *((intOrPtr*)(_t291 - 0x8c)) = 0x423364;
				while(1) {
					 *((intOrPtr*)(_t291 + 0x64)) =  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x38)) +  *(_t291 + 0x60) * 4));
					_t288 =  *((intOrPtr*)(_t291 + 0x68));
					_t67 = _t291 - 0x8c; // 0x423364
					 *(_t291 - 4) = 9;
					E00404E08(0, _t288, _t282, _t288, _t297);
					_push(0);
					 *(_t291 - 4) = 8;
					L00408BFB(0, _t282, _t288, _t297);
					_t289 =  *( *((intOrPtr*)(_t288 + 0xc)) +  *(_t288 + 8) * 4 - 4);
					_t260 =  *((intOrPtr*)(_t291 + 0x64));
					 *(_t291 + 0x50) =  *( *((intOrPtr*)(_t288 + 0xc)) +  *(_t288 + 8) * 4 - 4);
					_t206 = E004023E2( *((intOrPtr*)(_t291 + 0x64)));
					 *(_t291 - 0x80) = _t206;
					if(_t206 != _t206) {
						break;
					}
					_t299 = 0 - _t279;
					if(0 != _t279) {
						break;
					}
					E0040140A(_t289, _t291, _t206);
					_t220 = E00408BD0(0, _t282, _t299, 0x14);
					_t300 = _t220;
					if(_t220 == 0) {
						_t290 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t220 + 4)) = 0;
						 *_t220 = 0x423518;
						_t290 = _t220;
					}
					E0040222C(_t291 + 0x4c, _t290);
					_push( *((intOrPtr*)(_t291 + 0x70)));
					_push( *((intOrPtr*)(_t291 + 0x6c)));
					_push(0);
					_push( *((intOrPtr*)(_t291 + 0x4c)));
					 *((intOrPtr*)(_t290 + 8)) =  *((intOrPtr*)( *(_t291 + 0x50) + 8));
					_push( *((intOrPtr*)(_t291 + 0x64)));
					 *(_t290 + 0xc) =  *(_t291 - 0x80);
					 *((intOrPtr*)(_t290 + 0x10)) = 0;
					_t91 = _t291 + 0x40; // 0x42352c
					_t289 =  *_t91;
					_push( *((intOrPtr*)(_t291 + 0x24)) + _t289 * 8);
					_push( *((intOrPtr*)(_t291 + 0x48)));
					 *(_t291 - 4) = 0xa;
					_push( *((intOrPtr*)(_t291 + 0x44)));
					_push( *_t282);
					_t227 = E00401ADB(0, _t291 - 0x118, _t282, _t289, _t300);
					 *((intOrPtr*)(_t291 + 0x14)) = _t227;
					if(_t227 != 0) {
						L20:
						_t208 =  *((intOrPtr*)(_t291 + 0x4c));
						 *(_t291 - 4) = 8;
						__eflags = _t208;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t208 + 8))(_t208);
						}
						 *(_t291 - 4) = 7;
						E0040246D(_t291 - 0x118, _t289, __eflags);
						 *(_t291 - 4) = 6;
						E00408BC5(_t291);
						 *(_t291 - 4) = 5;
						E00408BC5(_t291 - 0x34);
						 *(_t291 - 4) = 4;
						E00408BC5(_t291 - 0x20);
						 *(_t291 - 4) = 3;
						E00408BC5(_t291 - 0x48);
						 *(_t291 - 4) = 2;
						E00403264(0, _t291 + 0x2c, _t282, _t289, __eflags);
						 *(_t291 - 4) = 1;
						E00408BC5(_t291 - 0x70);
						 *(_t291 - 4) = 0;
						E00408BC5(_t291 - 0x5c);
						 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
						E00408BC5(_t291 + 0x18);
						_t199 =  *((intOrPtr*)(_t291 + 0x14));
						goto L18;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x54)) == 0) {
							L10:
							 *(_t291 + 0x50) = 0;
							if( *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x30)) <= 0) {
								L14:
								_t230 =  *((intOrPtr*)(_t291 + 0x4c));
								 *(_t291 - 4) = 8;
								if(_t230 != 0) {
									 *((intOrPtr*)( *_t230 + 8))(_t230);
								}
								 *(_t291 + 0x60) =  *(_t291 + 0x60) + 1;
								_t307 =  *(_t291 + 0x60) -  *((intOrPtr*)(_t291 + 0x34));
								if( *(_t291 + 0x60) <  *((intOrPtr*)(_t291 + 0x34))) {
									continue;
								} else {
									goto L17;
								}
							}
							_t277 =  *((intOrPtr*)(_t291 + 0x24));
							do {
								_t280 =  *((intOrPtr*)(_t277 + 4 + _t289 * 8));
								_t233 =  *((intOrPtr*)(_t277 + _t289 * 8));
								_t289 = _t289 + 1;
								 *((intOrPtr*)(_t291 + 0x44)) =  *((intOrPtr*)(_t291 + 0x44)) + _t233;
								 *((intOrPtr*)(_t291 - 0x74)) = _t280;
								asm("adc [ebp+0x48], edx");
								 *((intOrPtr*)(_t282 + 0x48)) =  *((intOrPtr*)(_t282 + 0x48)) + _t233;
								asm("adc [edi+0x4c], eax");
								 *(_t291 + 0x50) =  *(_t291 + 0x50) + 1;
								_t279 =  *(_t291 + 0x50);
							} while (_t279 <  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x30)));
							 *(_t291 + 0x40) = _t289;
							goto L14;
						}
						_t279 =  *(_t291 - 0x80);
						_t237 = E0040C9E9( *((intOrPtr*)( *(_t291 + 0x50) + 8)), _t279);
						_t260 =  *((intOrPtr*)(_t291 + 0x64));
						if(_t237 !=  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x50))) {
							break;
						}
						goto L10;
					}
				}
				E00403C2E(_t260, _t282);
				goto L20;
			}






















                                                            0x0040543e
                                                            0x00405442
                                                            0x0040544c
                                                            0x00405451
                                                            0x0040545a
                                                            0x0040545d
                                                            0x00405460
                                                            0x00405463
                                                            0x0040546a
                                                            0x0040546d
                                                            0x00405472
                                                            0x00405475
                                                            0x00405478
                                                            0x0040547b
                                                            0x0040547e
                                                            0x00405485
                                                            0x0040548a
                                                            0x00405490
                                                            0x00405493
                                                            0x00405496
                                                            0x00405499
                                                            0x0040549c
                                                            0x0040549f
                                                            0x004054a2
                                                            0x004054a5
                                                            0x004054a8
                                                            0x004054ab
                                                            0x004054b2
                                                            0x004054b5
                                                            0x004054b8
                                                            0x004054bb
                                                            0x004054be
                                                            0x004054c1
                                                            0x004054c4
                                                            0x004054c7
                                                            0x004054ca
                                                            0x004054d1
                                                            0x004054d4
                                                            0x004054d7
                                                            0x004054da
                                                            0x004054dd
                                                            0x004054e4
                                                            0x004054e7
                                                            0x004054ea
                                                            0x004054ed
                                                            0x004054f0
                                                            0x004054f3
                                                            0x004054f6
                                                            0x0040551d
                                                            0x00405521
                                                            0x0040552e
                                                            0x00405531
                                                            0x0040553b
                                                            0x00405541
                                                            0x00405544
                                                            0x00405547
                                                            0x0040554a
                                                            0x0040554d
                                                            0x004056af
                                                            0x004056b5
                                                            0x004056b9
                                                            0x004056c1
                                                            0x004056c5
                                                            0x004056cd
                                                            0x004056d1
                                                            0x004056d9
                                                            0x004056dd
                                                            0x004056e5
                                                            0x004056e9
                                                            0x004056f1
                                                            0x004056f5
                                                            0x004056fd
                                                            0x00405701
                                                            0x00405709
                                                            0x0040570c
                                                            0x00405711
                                                            0x00405718
                                                            0x0040571d
                                                            0x0040571f
                                                            0x00405722
                                                            0x00405731
                                                            0x00405731
                                                            0x00405553
                                                            0x00405559
                                                            0x0040555f
                                                            0x00405569
                                                            0x00405572
                                                            0x00405575
                                                            0x00405578
                                                            0x00405581
                                                            0x00405585
                                                            0x0040558a
                                                            0x0040558b
                                                            0x0040558f
                                                            0x0040559b
                                                            0x0040559f
                                                            0x004055a2
                                                            0x004055a5
                                                            0x004055aa
                                                            0x004055af
                                                            0x00000000
                                                            0x00000000
                                                            0x004055b5
                                                            0x004055b7
                                                            0x00000000
                                                            0x00000000
                                                            0x004055c0
                                                            0x004055c7
                                                            0x004055cd
                                                            0x004055cf
                                                            0x004055de
                                                            0x004055de
                                                            0x004055d1
                                                            0x004055d1
                                                            0x004055d4
                                                            0x004055da
                                                            0x004055da
                                                            0x004055e4
                                                            0x004055e9
                                                            0x004055ef
                                                            0x004055f5
                                                            0x004055f6
                                                            0x004055f9
                                                            0x004055ff
                                                            0x00405602
                                                            0x00405605
                                                            0x0040560b
                                                            0x0040560b
                                                            0x00405613
                                                            0x00405614
                                                            0x00405617
                                                            0x0040561b
                                                            0x0040561e
                                                            0x00405625
                                                            0x0040562a
                                                            0x0040562f
                                                            0x00405739
                                                            0x00405739
                                                            0x0040573c
                                                            0x00405740
                                                            0x00405742
                                                            0x00405747
                                                            0x00405747
                                                            0x00405750
                                                            0x00405754
                                                            0x0040575c
                                                            0x00405760
                                                            0x00405768
                                                            0x0040576c
                                                            0x00405774
                                                            0x00405778
                                                            0x00405780
                                                            0x00405784
                                                            0x0040578c
                                                            0x00405790
                                                            0x00405798
                                                            0x0040579c
                                                            0x004057a4
                                                            0x004057a7
                                                            0x004057ac
                                                            0x004057b3
                                                            0x004057b8
                                                            0x00000000
                                                            0x00405635
                                                            0x0040563b
                                                            0x00405657
                                                            0x0040565d
                                                            0x00405660
                                                            0x0040568f
                                                            0x0040568f
                                                            0x00405692
                                                            0x00405698
                                                            0x0040569d
                                                            0x0040569d
                                                            0x004056a0
                                                            0x004056a6
                                                            0x004056a9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004056a9
                                                            0x00405662
                                                            0x00405665
                                                            0x00405665
                                                            0x00405669
                                                            0x0040566c
                                                            0x0040566d
                                                            0x00405670
                                                            0x00405673
                                                            0x00405676
                                                            0x0040567b
                                                            0x0040567e
                                                            0x00405684
                                                            0x00405687
                                                            0x0040568c
                                                            0x00000000
                                                            0x0040568c
                                                            0x00405643
                                                            0x00405646
                                                            0x0040564b
                                                            0x00405651
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00405651
                                                            0x0040562f
                                                            0x00405734
                                                            0x00000000

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040544C
                                                            • ~_Task_impl.LIBCPMT ref: 004056F5
                                                              • Part of subcall function 00404E08: __EH_prolog3.LIBCMT ref: 00404E0F
                                                            • ~_Task_impl.LIBCPMT ref: 00405790
                                                              • Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3Task_impl$Exception@8Throw_malloc
                                                            • String ID: ,5B$X3B$d3B
                                                            • API String ID: 3886086520-1481860430
                                                            • Opcode ID: 85d03e3685e81ff3b769d94fe1e0308ece955acc27123708505d5f255a3a9165
                                                            • Instruction ID: 814289aad0976a7bf2f57e0359f589b9b41a73cc03a2e1a0d3bfeed728cac17b
                                                            • Opcode Fuzzy Hash: 85d03e3685e81ff3b769d94fe1e0308ece955acc27123708505d5f255a3a9165
                                                            • Instruction Fuzzy Hash: A8D105B0901248DFCB14DFA9C980ADDBBB4FF18304F5481AEF959A7281DB78AA45CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405E50, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 198COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 833 405e50-405e91 call 416b21 call 403043 838 405e93 call 403c2e 833->838 839 405e98-405ec6 call 40c9e9 833->839 838->839 839->838 843 405ec8-405ee7 839->843 844 4060e4-4060e9 call 416bf9 843->844 845 405eed-405eef 843->845 847 405ef1-405ef5 845->847 848 405ef7-405efa 845->848 847->848 850 405eff-405f02 847->850 848->844 851 405f04 850->851 852 405f0b-405f20 call 409f8a 850->852 851->848 853 405f06-405f09 851->853 852->844 855 405f26-405f51 call 40140a call 40b06f 852->855 853->848 853->852 860 405f53 855->860 861 405f64-405f9c call 40c9e9 855->861 862 405f55-405f5f call 408bfb 860->862 861->838 867 405fa2-405fdf call 404430 call 403cc9 861->867 868 4060e3 862->868 873 405fe1-405fe3 867->873 874 405fe9-405fec 867->874 868->844 873->874 875 40609f-4060e1 call 4057c0 call 404035 call 4043f7 call 408bfb 873->875 874->838 876 405ff2-405ff4 874->876 875->868 876->838 877 405ffa-406019 call 40543e 876->877 882 40601e-406022 877->882 884 406041-406045 882->884 885 406024-40603c call 404035 call 4043f7 882->885 888 406066-40606a 884->888 889 406047-40605f call 404035 call 4043f7 884->889 885->862 888->838 892 406070-406091 call 4043f7 call 404430 call 403cc9 888->892 889->888 892->838 907 406097-406099 892->907 907->838 907->875
                                                            C-Code - Quality: 93%
                                                            			E00405E50(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t97;
				intOrPtr* _t111;
				signed int _t114;
				void* _t120;
				void* _t123;
				void* _t130;
				signed int _t133;
				signed int _t143;
				signed int _t144;
				void* _t149;
				void* _t164;
				signed int _t167;
				intOrPtr _t169;
				intOrPtr* _t171;
				signed int _t172;
				void* _t173;

				_push(0x34);
				E00416B21(E004212C3, __ebx, __edi, __esi);
				_t171 = __ecx;
				_t169 =  *((intOrPtr*)(_t173 + 8));
				E00403043(_t169);
				 *((intOrPtr*)(_t169 + 0x138)) =  *((intOrPtr*)(_t171 + 0x20));
				 *((intOrPtr*)(_t169 + 0x13c)) =  *((intOrPtr*)(_t171 + 0x24));
				_t97 = _t169 + 0x130;
				 *_t97 =  *((intOrPtr*)(_t171 + 0x2e));
				_t148 =  *((intOrPtr*)(_t171 + 0x2f));
				 *((char*)(_t169 + 0x131)) =  *((intOrPtr*)(_t171 + 0x2f));
				if( *_t97 != 0) {
					L1:
					E00403C2E(_t148, _t169);
				}
				_t143 =  *(_t171 + 0x40);
				 *((intOrPtr*)(_t173 + 8)) =  *((intOrPtr*)(_t171 + 0x30));
				_t148 = _t171 + 0x34;
				 *((intOrPtr*)(_t173 - 0x18)) =  *_t148;
				 *((intOrPtr*)(_t173 - 0x14)) =  *((intOrPtr*)(_t148 + 4));
				 *(_t173 - 0x20) =  *(_t171 + 0x3c);
				_t164 = 0x14;
				 *((intOrPtr*)(_t173 - 0x10)) =  *((intOrPtr*)(_t171 + 0x44));
				if(E0040C9E9(_t148, _t164) !=  *((intOrPtr*)(_t173 + 8))) {
					goto L1;
				}
				 *((intOrPtr*)(_t169 + 0x140)) =  *((intOrPtr*)(_t171 + 0x20)) + 0x20;
				_t149 = 0;
				asm("adc edx, ecx");
				_t108 =  *(_t173 - 0x20) | _t143;
				 *((intOrPtr*)(_t169 + 0x144)) =  *((intOrPtr*)(_t171 + 0x24));
				if(( *(_t173 - 0x20) | _t143) != 0) {
					if(_t143 > _t149 ||  *(_t173 - 0x20) > 0xffffffff) {
						L6:
						_t108 = 1;
					} else {
						__eflags =  *((intOrPtr*)(_t173 - 0x14)) - _t149;
						if(__eflags > 0) {
							L10:
							_t111 =  *_t171;
							_t108 =  *((intOrPtr*)( *_t111 + 0x10))(_t111,  *((intOrPtr*)(_t173 - 0x18)),  *((intOrPtr*)(_t173 - 0x14)), 1, _t149);
							__eflags = _t108;
							if(_t108 == 0) {
								 *((intOrPtr*)(_t173 - 0x2c)) = 0x423364;
								 *((intOrPtr*)(_t173 - 0x28)) = 0;
								 *((intOrPtr*)(_t173 - 0x24)) = 0;
								 *((intOrPtr*)(_t173 - 4)) = 0;
								_t38 = _t173 - 0x2c; // 0x423364
								E0040140A(_t38, _t173,  *(_t173 - 0x20));
								_t114 = E0040B06F(__eflags,  *_t171,  *((intOrPtr*)(_t173 - 0x24)),  *(_t173 - 0x20)); // executed
								__eflags = _t114;
								if(__eflags == 0) {
									_t167 =  *(_t173 - 0x20);
									asm("adc ecx, 0x0");
									 *((intOrPtr*)(_t171 + 0x48)) =  *((intOrPtr*)(_t171 + 0x48)) + _t167 + 0x20;
									asm("adc [esi+0x4c], ecx");
									_t148 =  *((intOrPtr*)(_t173 - 0x24));
									asm("adc ebx, [ebp-0x14]");
									asm("adc ebx, 0x0");
									 *((intOrPtr*)(_t169 + 0x1c8)) = _t167 +  *((intOrPtr*)(_t173 - 0x18)) + 0x20;
									 *(_t169 + 0x1cc) = _t143;
									_t120 = E0040C9E9( *((intOrPtr*)(_t173 - 0x24)), _t167);
									__eflags = _t120 -  *((intOrPtr*)(_t173 - 0x10));
									if(_t120 !=  *((intOrPtr*)(_t173 - 0x10))) {
										goto L1;
									} else {
										 *((char*)(_t173 - 0x14)) = 0;
										_t51 = _t173 - 0x2c; // 0x423364
										 *((char*)(_t173 - 4)) = 1;
										E00404430(_t171, _t51);
										_t144 = 0;
										 *((intOrPtr*)(_t173 - 0x3c)) = 0;
										 *(_t173 - 0x38) = 0;
										 *((intOrPtr*)(_t173 - 0x34)) = 0;
										 *((intOrPtr*)(_t173 - 0x30)) = 4;
										 *((intOrPtr*)(_t173 - 0x40)) = 0x42352c;
										_t148 =  *((intOrPtr*)(_t171 + 0x18));
										 *((char*)(_t173 - 4)) = 2;
										_t123 = E00403CC9( *((intOrPtr*)(_t171 + 0x18)), _t167);
										__eflags = _t123 - 1;
										if(_t123 != 1) {
											L17:
											__eflags = _t123 - 0x17;
											if(_t123 != 0x17) {
												goto L1;
											} else {
												__eflags = _t167 - _t144;
												if(__eflags != 0) {
													goto L1;
												} else {
													_t62 = _t173 - 0x40; // 0x42352c
													_t148 = _t171;
													_t144 = E0040543E(_t144, _t171, _t169, _t171, __eflags,  *((intOrPtr*)(_t169 + 0x140)),  *((intOrPtr*)(_t169 + 0x144)), _t169 + 0x150, _t62,  *((intOrPtr*)(_t173 + 0xc)),  *((intOrPtr*)(_t173 + 0x10)));
													__eflags = _t144;
													if(__eflags == 0) {
														__eflags =  *(_t173 - 0x38);
														if(__eflags != 0) {
															__eflags =  *(_t173 - 0x38) - 1;
															if( *(_t173 - 0x38) > 1) {
																goto L1;
															} else {
																E004043F7(_t173 - 0x18);
																E00404430(_t171,  *((intOrPtr*)( *((intOrPtr*)(_t173 - 0x34)))));
																_t148 =  *((intOrPtr*)(_t171 + 0x18));
																_t130 = E00403CC9( *((intOrPtr*)(_t171 + 0x18)), _t167);
																__eflags = _t130 - 1;
																if(_t130 != 1) {
																	goto L1;
																} else {
																	__eflags = _t167;
																	if(__eflags != 0) {
																		goto L1;
																	} else {
																		goto L26;
																	}
																}
															}
														} else {
															_t72 = _t173 - 0x40; // 0x42352c
															 *((char*)(_t173 - 4)) = 1;
															E00404035(_t144, _t72, _t169, _t171, __eflags);
															 *((char*)(_t173 - 4)) = 0;
															E004043F7(_t173 - 0x18);
															_t144 = 0;
															goto L13;
														}
													} else {
														_t67 = _t173 - 0x40; // 0x42352c
														 *((char*)(_t173 - 4)) = 1;
														E00404035(_t144, _t67, _t169, _t171, __eflags);
														 *((char*)(_t173 - 4)) = 0;
														E004043F7(_t173 - 0x18);
														goto L13;
													}
												}
											}
										} else {
											__eflags = _t167;
											if(__eflags == 0) {
												L26:
												 *((intOrPtr*)(_t169 + 0x1c0)) =  *((intOrPtr*)(_t171 + 0x48));
												 *((intOrPtr*)(_t169 + 0x1c4)) =  *((intOrPtr*)(_t171 + 0x4c));
												_t133 = E004057C0(_t144, _t171, _t167, _t169, _t171, __eflags, _t169,  *((intOrPtr*)(_t173 + 0xc)),  *((intOrPtr*)(_t173 + 0x10)));
												_t87 = _t173 - 0x40; // 0x42352c
												_t172 = _t133;
												 *((char*)(_t173 - 4)) = 1;
												E00404035(_t144, _t87, _t169, _t172, __eflags);
												 *((char*)(_t173 - 4)) = 0;
												E004043F7(_t173 - 0x18);
												_push( *((intOrPtr*)(_t173 - 0x24)));
												L00408BFB(_t144, _t169, _t172, __eflags);
												_t108 = _t172;
												goto L27;
											} else {
												goto L17;
											}
										}
									}
								} else {
									_t144 = _t114;
									L13:
									_push( *((intOrPtr*)(_t173 - 0x24)));
									L00408BFB(_t144, _t169, _t171, __eflags);
									_t108 = _t144;
									L27:
								}
							}
						} else {
							if(__eflags < 0) {
								goto L6;
							} else {
								__eflags =  *((intOrPtr*)(_t173 - 0x18)) - _t149;
								if( *((intOrPtr*)(_t173 - 0x18)) < _t149) {
									goto L6;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return E00416BF9(_t108);
			}



















                                                            0x00405e50
                                                            0x00405e57
                                                            0x00405e5c
                                                            0x00405e5e
                                                            0x00405e63
                                                            0x00405e6b
                                                            0x00405e74
                                                            0x00405e7d
                                                            0x00405e83
                                                            0x00405e88
                                                            0x00405e8b
                                                            0x00405e91
                                                            0x00405e93
                                                            0x00405e93
                                                            0x00405e93
                                                            0x00405e9b
                                                            0x00405e9e
                                                            0x00405ea1
                                                            0x00405ea6
                                                            0x00405eac
                                                            0x00405eb2
                                                            0x00405eba
                                                            0x00405ebb
                                                            0x00405ec6
                                                            0x00000000
                                                            0x00000000
                                                            0x00405ed3
                                                            0x00405edc
                                                            0x00405edd
                                                            0x00405edf
                                                            0x00405ee1
                                                            0x00405ee7
                                                            0x00405eef
                                                            0x00405ef7
                                                            0x00405ef9
                                                            0x00405eff
                                                            0x00405eff
                                                            0x00405f02
                                                            0x00405f0b
                                                            0x00405f0b
                                                            0x00405f19
                                                            0x00405f1e
                                                            0x00405f20
                                                            0x00405f26
                                                            0x00405f2d
                                                            0x00405f30
                                                            0x00405f36
                                                            0x00405f39
                                                            0x00405f3c
                                                            0x00405f4a
                                                            0x00405f4f
                                                            0x00405f51
                                                            0x00405f64
                                                            0x00405f6e
                                                            0x00405f71
                                                            0x00405f76
                                                            0x00405f7c
                                                            0x00405f7f
                                                            0x00405f85
                                                            0x00405f88
                                                            0x00405f8e
                                                            0x00405f94
                                                            0x00405f99
                                                            0x00405f9c
                                                            0x00000000
                                                            0x00405fa2
                                                            0x00405fa2
                                                            0x00405fa6
                                                            0x00405fae
                                                            0x00405fb2
                                                            0x00405fb7
                                                            0x00405fb9
                                                            0x00405fbc
                                                            0x00405fbf
                                                            0x00405fc2
                                                            0x00405fc9
                                                            0x00405fd0
                                                            0x00405fd3
                                                            0x00405fd7
                                                            0x00405fdc
                                                            0x00405fdf
                                                            0x00405fe9
                                                            0x00405fe9
                                                            0x00405fec
                                                            0x00000000
                                                            0x00405ff2
                                                            0x00405ff2
                                                            0x00405ff4
                                                            0x00000000
                                                            0x00405ffa
                                                            0x00405ffd
                                                            0x00406003
                                                            0x0040601e
                                                            0x00406020
                                                            0x00406022
                                                            0x00406041
                                                            0x00406045
                                                            0x00406066
                                                            0x0040606a
                                                            0x00000000
                                                            0x00406070
                                                            0x00406073
                                                            0x00406081
                                                            0x00406086
                                                            0x00406089
                                                            0x0040608e
                                                            0x00406091
                                                            0x00000000
                                                            0x00406097
                                                            0x00406097
                                                            0x00406099
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00406099
                                                            0x00406091
                                                            0x00406047
                                                            0x00406047
                                                            0x0040604a
                                                            0x0040604e
                                                            0x00406056
                                                            0x0040605a
                                                            0x0040605f
                                                            0x00000000
                                                            0x0040605f
                                                            0x00406024
                                                            0x00406024
                                                            0x00406027
                                                            0x0040602b
                                                            0x00406033
                                                            0x00406037
                                                            0x00000000
                                                            0x00406037
                                                            0x00406022
                                                            0x00405ff4
                                                            0x00405fe1
                                                            0x00405fe1
                                                            0x00405fe3
                                                            0x0040609f
                                                            0x004060a8
                                                            0x004060b4
                                                            0x004060ba
                                                            0x004060bf
                                                            0x004060c2
                                                            0x004060c4
                                                            0x004060c8
                                                            0x004060d0
                                                            0x004060d4
                                                            0x004060d9
                                                            0x004060dc
                                                            0x004060e1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00405fe3
                                                            0x00405fdf
                                                            0x00405f53
                                                            0x00405f53
                                                            0x00405f55
                                                            0x00405f55
                                                            0x00405f58
                                                            0x00405f5d
                                                            0x004060e3
                                                            0x004060e3
                                                            0x00405f51
                                                            0x00405f04
                                                            0x00405f04
                                                            0x00000000
                                                            0x00405f06
                                                            0x00405f06
                                                            0x00405f09
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00405f09
                                                            0x00405f04
                                                            0x00405f02
                                                            0x00405eef
                                                            0x004060e9

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00405E57
                                                              • Part of subcall function 00403C2E: __CxxThrowException@8.LIBCMT ref: 00403C48
                                                            • ~_Task_impl.LIBCPMT ref: 0040602B
                                                            • ~_Task_impl.LIBCPMT ref: 0040604E
                                                            • ~_Task_impl.LIBCPMT ref: 004060C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Task_impl$Exception@8H_prolog3Throw
                                                            • String ID: ,5B$d3B
                                                            • API String ID: 2671850710-4022472632
                                                            • Opcode ID: 7c0775fd51aa641adf85b337397f615fa1b72316e97e0daecfbe9a7385fd49df
                                                            • Instruction ID: 22ed54c7a815a4ab7570c59c5c815cf412b8cd08c948cb3af00627dc78b13c80
                                                            • Opcode Fuzzy Hash: 7c0775fd51aa641adf85b337397f615fa1b72316e97e0daecfbe9a7385fd49df
                                                            • Instruction Fuzzy Hash: 89813970A00649DFCB15DFA5C881ADEBBB0FF08304F14452EE545B7391D739AA44CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041203E, Relevance: 10.6, APIs: 7, Instructions: 93windowtimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 86%
                                                            			E0041203E(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t35;
				int _t36;
				void* _t41;
				void* _t47;
				void* _t52;
				struct HWND__** _t78;
				void* _t80;
				void* _t82;

				_push(0x24);
				E00416B21(E00421EEC, __ebx, __edi, __esi);
				_t80 = __ecx;
				 *(__ecx + 0x40) =  *(__ecx + 0x40) | 0xffffffff;
				 *(__ecx + 0x44) =  *(__ecx + 0x44) | 0xffffffff;
				 *(__ecx + 0x4c) =  *(__ecx + 0x4c) | 0xffffffff;
				_t78 = __ecx + 4;
				 *((intOrPtr*)(_t80 + 0x48)) = GetDlgItem( *_t78, 0x3e8);
				_t35 = _t80 + 0x98;
				_t84 =  *_t35;
				if( *_t35 >= 0) {
					SendMessageW( *_t78, 0x80, 1, LoadIconW( *0x43063c,  *_t35 & 0x0000ffff));
				}
				_t36 = SetTimer( *_t78, 3, 0x64, 0); // executed
				 *(_t80 + 0x20) = _t36;
				E00411A09(_t78,  *((intOrPtr*)(_t80 + 0x24)));
				E00411E99(_t80);
				E0040320A(_t82 - 0x24);
				 *((intOrPtr*)(_t82 - 4)) = 0;
				_t41 = E0040C825(_t82 - 0x24, _t82 - 0x18, 0x47);
				 *((char*)(_t82 - 4)) = 1;
				E00408639(_t82 - 0x24, _t82, _t41);
				_push( *(_t82 - 0x18));
				 *((char*)(_t82 - 4)) = 0;
				L00408BFB(0, _t78, _t80, _t84);
				SetDlgItemTextW( *_t78, 0x3e7,  *(_t82 - 0x24)); // executed
				E0040320A(_t82 - 0x18);
				 *((char*)(_t82 - 4)) = 2;
				_t47 = E0040C825(_t82 - 0x18, _t82 - 0x30, 0x15);
				 *((char*)(_t82 - 4)) = 3;
				E00408639(_t82 - 0x18, _t82, _t47);
				_push( *((intOrPtr*)(_t82 - 0x30)));
				 *((char*)(_t82 - 4)) = 2;
				L00408BFB(SetDlgItemTextW, _t78, _t80, _t84);
				SetDlgItemTextW( *_t78, 2,  *(_t82 - 0x18)); // executed
				 *(_t80 + 0x58) =  *_t78;
				_t52 = E00410729(_t80);
				 *((char*)(_t80 + 0x50)) = 1;
				_t81 = _t80 + 0x54;
				_t64 = _t52;
				E0040FCA0(_t80 + 0x54);
				_push( *(_t82 - 0x18));
				L00408BFB(_t52, _t78, _t81, _t80 + 0x54);
				_push( *(_t82 - 0x24));
				L00408BFB(_t52, _t78, _t81, _t80 + 0x54);
				return E00416BF9(_t64);
			}











                                                            0x0041203e
                                                            0x00412045
                                                            0x0041204a
                                                            0x0041204c
                                                            0x00412050
                                                            0x00412054
                                                            0x0041205d
                                                            0x00412068
                                                            0x0041206b
                                                            0x00412073
                                                            0x00412075
                                                            0x00412091
                                                            0x00412091
                                                            0x0041209e
                                                            0x004120a9
                                                            0x004120ac
                                                            0x004120b3
                                                            0x004120bb
                                                            0x004120c6
                                                            0x004120c9
                                                            0x004120d2
                                                            0x004120d6
                                                            0x004120db
                                                            0x004120de
                                                            0x004120e1
                                                            0x004120f7
                                                            0x004120fc
                                                            0x00412107
                                                            0x0041210b
                                                            0x00412114
                                                            0x00412118
                                                            0x0041211d
                                                            0x00412120
                                                            0x00412124
                                                            0x00412131
                                                            0x00412137
                                                            0x0041213a
                                                            0x0041213f
                                                            0x00412143
                                                            0x00412147
                                                            0x00412149
                                                            0x0041214e
                                                            0x00412151
                                                            0x00412156
                                                            0x00412159
                                                            0x00412167

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00412045
                                                            • GetDlgItem.USER32 ref: 00412062
                                                            • LoadIconW.USER32(?), ref: 00412081
                                                            • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00412091
                                                            • SetTimer.USER32(?,00000003,00000064,00000000), ref: 0041209E
                                                            • SetDlgItemTextW.USER32 ref: 004120F7
                                                            • SetDlgItemTextW.USER32 ref: 00412131
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Item$Text$H_prolog3IconLoadMessageSendTimer
                                                            • String ID:
                                                            • API String ID: 939275570-0
                                                            • Opcode ID: 39daad9ba48e2c2f6d80b86682300c4b134f58aff4b3b9f1a086de2835435c81
                                                            • Instruction ID: 21c704d9c836a514070a3f35ff2bc92d5ecee665b3ff0147aa08f3bdc7422be8
                                                            • Opcode Fuzzy Hash: 39daad9ba48e2c2f6d80b86682300c4b134f58aff4b3b9f1a086de2835435c81
                                                            • Instruction Fuzzy Hash: 6E31A071500344EFDB11ABA1CD46ADDBFB4AF08314F10016EF291A61E2CF7A6A55DB18
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401ADB, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 607COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 944 401adb-401afd call 416b21 call 4041d7 949 401b19-401b5d call 40fcfc call 406200 944->949 950 401aff-401b16 944->950 955 401b63-401b6d call 408bd0 949->955 956 401c3b-401c64 call 4018ab call 4017e4 949->956 961 401b7c 955->961 962 401b6f-401b7a 955->962 967 401c85-401c9a call 408b5a call 402b01 956->967 968 401c66-401c7f call 4012a6 956->968 964 401b7e-401bbb call 40222c call 408bd0 961->964 962->964 979 401bcd 964->979 980 401bbd-401bcb 964->980 981 401cd2-401ce2 967->981 982 401c9c-401ca9 call 408bd0 967->982 968->967 977 401e10-401e24 968->977 985 4020f6-402114 call 4011a3 977->985 986 401e2a 977->986 983 401bcf-401c10 call 40222c call 406200 call 4014ba 979->983 980->983 994 401d13-401d19 981->994 995 401ce4-401d0c call 40136c call 4013ef call 401489 981->995 996 401cb4 982->996 997 401cab-401cb2 call 4018d0 982->997 1030 401c12-401c14 983->1030 1031 401c18-401c21 983->1031 1004 402116-40211c 985->1004 1005 40211f-402122 985->1005 989 401e2d-401e64 986->989 1009 401e96-401e9c 989->1009 1010 401e66-401e72 989->1010 1006 401dfe-401e0d call 4019eb 994->1006 1007 401d1f-401d4d call 409d4d 994->1007 995->994 1003 401cb6-401cc6 call 406200 996->1003 997->1003 1034 401cc8-401ccb 1003->1034 1035 401ccd 1003->1035 1004->1005 1015 402124 1005->1015 1016 40218c-4021b7 call 408a61 1005->1016 1006->977 1036 402002-40200b 1007->1036 1037 401d53-401d5e 1007->1037 1023 401ea4-401ec0 1009->1023 1024 401e9e-401ea0 1009->1024 1020 401e78-401e90 1010->1020 1021 40212b-40212f 1010->1021 1015->1021 1042 4021b9-4021cd call 40105e 1016->1042 1043 4021cf-4021eb 1016->1043 1020->1009 1052 402016-40201c 1020->1052 1029 402063-402069 1021->1029 1055 401ec6-401ecb 1023->1055 1056 401f7f-401f85 1023->1056 1024->1023 1059 40204e 1029->1059 1030->1031 1040 401c23-401c25 1031->1040 1041 401c29-401c35 1031->1041 1047 401ccf 1034->1047 1035->1047 1048 402013 1036->1048 1049 40200d-40200f 1036->1049 1038 401d60-401d64 1037->1038 1039 401d8c-401d8f 1037->1039 1038->1039 1050 401d66-401d6b 1038->1050 1053 401d95-401da3 call 406200 1039->1053 1054 402058-402061 1039->1054 1040->1041 1041->955 1041->956 1042->1043 1149 4021ec call 40b110 1043->1149 1150 4021ec call 406406 1043->1150 1047->981 1048->1052 1049->1048 1060 401d71-401d7d call 406200 1050->1060 1061 40202c-402035 1050->1061 1064 402024 1052->1064 1065 40201e-402020 1052->1065 1082 401db0-401dc5 call 4014ba 1053->1082 1083 401da5-401dab call 406d8e 1053->1083 1054->1029 1054->1059 1069 401ed1-401ee6 1055->1069 1070 402134-402137 1055->1070 1062 401f87-401f89 1056->1062 1063 401f8d-401fda call 408a61 * 2 1056->1063 1059->1054 1060->1082 1085 401d7f-401d8a call 406d69 1060->1085 1074 402040-402046 1061->1074 1075 402037-40203d 1061->1075 1062->1063 1099 401fe0-401fe3 1063->1099 1100 40206b 1063->1100 1064->1061 1065->1064 1067 4021ef-4021f8 call 408bc5 1081 4021fd 1067->1081 1089 402148-40215a SysFreeString 1069->1089 1090 401eec-401f26 call 401647 call 40140a 1069->1090 1078 40213e 1070->1078 1074->1059 1084 402048-40204a 1074->1084 1075->1074 1078->1089 1081->1081 1101 401dc7-401dc9 1082->1101 1102 401dcd-401dd6 1082->1102 1083->1082 1084->1059 1085->1082 1094 402162 1089->1094 1095 40215c-40215e 1089->1095 1118 401f41-401f5f call 408bfb 1090->1118 1119 401f28-401f2e 1090->1119 1108 402169-402170 call 408bfb 1094->1108 1095->1094 1109 401fe6-401ffe call 40105e 1099->1109 1106 40206e-402074 1100->1106 1101->1102 1104 401dd8-401dda 1102->1104 1105 401dde-401de7 1102->1105 1104->1105 1115 401de9-401deb 1105->1115 1116 401def-401df8 1105->1116 1110 402076-402082 call 401237 1106->1110 1111 4020bf-4020f0 call 408bc5 * 2 1106->1111 1108->1089 1123 402000 1109->1123 1127 402090-40209c call 401282 1110->1127 1128 402084-40208e 1110->1128 1111->985 1111->989 1115->1116 1116->1006 1116->1007 1118->1108 1142 401f65-401f7c call 408bfb SysFreeString 1118->1142 1125 401f30-401f3f 1119->1125 1123->1106 1125->1118 1125->1125 1138 402172-40218a call 408bc5 * 2 1127->1138 1139 4020a2 1127->1139 1130 4020a5-4020bd call 40105e 1128->1130 1130->1110 1130->1111 1138->1078 1139->1130 1142->1056 1149->1067 1150->1067
                                                            C-Code - Quality: 89%
                                                            			E00401ADB(void* __ebx, signed int* __ecx, intOrPtr __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t329;
				signed int _t346;
				intOrPtr* _t355;
				signed int _t357;
				signed int _t360;
				signed int _t361;
				signed int _t369;
				signed int _t370;
				signed int _t383;
				signed int _t389;
				signed int _t390;
				unsigned int _t394;
				signed int _t398;
				signed int _t404;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t418;
				signed int _t424;
				signed int _t425;
				signed int _t427;
				signed int _t428;
				signed char _t429;
				signed int _t432;
				signed int _t440;
				signed int _t446;
				signed int _t447;
				intOrPtr _t478;
				intOrPtr _t488;
				signed int _t494;
				unsigned int* _t504;
				signed int _t508;
				signed int _t521;
				signed int _t543;
				signed int _t549;
				signed int _t550;
				signed int _t551;
				intOrPtr* _t553;
				signed int _t555;
				signed int* _t556;
				intOrPtr* _t557;
				signed int _t558;
				signed int _t561;
				signed int _t562;
				intOrPtr* _t563;
				void* _t568;

				_t568 = __eflags;
				_t545 = __edi;
				_push(0xcc);
				E00416B21(E00420D66, __ebx, __edi, __esi);
				 *(_t563 + 0x34) = __ecx;
				_t555 =  *(_t563 + 0x60);
				if(E004041D7(__ebx, _t555, __edi, _t555, _t568) != 0) {
					 *((char*)( *((intOrPtr*)(_t563 + 0x70)))) = 0;
					 *((intOrPtr*)(_t563 + 4)) = 0;
					 *(_t563 + 8) = 0;
					 *((intOrPtr*)(_t563 + 0xc)) = 0;
					 *((intOrPtr*)(_t563 + 0x10)) = 4;
					 *_t563 = 0x4233bc;
					_push(_t563 - 0x70);
					 *(_t563 - 4) = 0;
					 *((intOrPtr*)(_t563 - 0x74)) = 0;
					E0040FCFC(__eflags);
					 *(_t563 - 4) = 1;
					E00406200(_t563 - 0x74,  *(_t563 + 0x50));
					__eflags =  *(_t555 + 0x30);
					 *(_t563 + 0x50) = 0;
					if(__eflags <= 0) {
						L15:
						_t457 = _t563 - 0xd8;
						 *(_t563 + 0x28) =  *( *(_t563 + 0x60) + 8);
						E004018AB(_t563 - 0xd8, __eflags);
						 *(_t563 - 4) = 4;
						E004017E4(_t563 - 0xd8,  *(_t563 + 0x60), _t563 - 0xd8);
						_t556 =  *(_t563 + 0x34);
						__eflags =  *_t556;
						if( *_t556 == 0) {
							L17:
							E00408B5A();
							_t547 =  &(_t556[0x1d]);
							E00402B01( &(_t556[0x1d]));
							__eflags = _t556[0x1a];
							if(__eflags != 0) {
								_t424 = E00408BD0(0, _t547, __eflags, 0x88);
								__eflags = _t424;
								if(_t424 == 0) {
									_t425 = 0;
									__eflags = 0;
								} else {
									_t425 = E004018D0(_t424);
								}
								_t556[0x1b] = _t425;
								E00406200(_t547, _t425);
								_t427 = _t556[0x1b];
								__eflags = _t427;
								if(_t427 == 0) {
									_t428 = 0;
									__eflags = 0;
								} else {
									_t428 = _t427 + 4;
								}
								_t556[0x1c] = _t428;
							}
							_t329 =  *((intOrPtr*)( *(_t556[0x1c])))(_t563 - 0xd8);
							__eflags = _t329;
							if(__eflags == 0) {
								__eflags =  *(_t563 + 0x28);
								 *(_t563 + 0x44) = 0;
								if(__eflags <= 0) {
									L45:
									E004019EB( &(_t556[1]), _t563 - 0xd8);
									 *_t556 = 1;
									L46:
									 *((intOrPtr*)( *(_t556[0x1c]) + 4))();
									__eflags =  *(_t563 + 0x28);
									 *(_t563 + 0x34) = 0;
									 *(_t563 + 0x30) = 0;
									 *(_t563 + 0x2c) = 0;
									if( *(_t563 + 0x28) <= 0) {
										L88:
										E004011A3(_t563 - 0xd8,  *((intOrPtr*)( *((intOrPtr*)(_t563 - 0x90)))), _t563 + 0x60, _t563 + 0x70);
										__eflags = _t556[0x1a];
										if(_t556[0x1a] != 0) {
											 *(_t556[0x1b] + 0x70) =  *(_t563 + 0x60);
										}
										__eflags =  *(_t563 + 0x28);
										if(__eflags != 0) {
											 *((intOrPtr*)(_t563 - 0x48)) = 0;
											 *((intOrPtr*)(_t563 - 0x44)) = 0;
											 *((intOrPtr*)(_t563 - 0x40)) = 0;
											 *((intOrPtr*)(_t563 - 0x3c)) = 4;
											 *((intOrPtr*)(_t563 - 0x4c)) = 0x42339c;
											 *(_t563 - 4) = 0xf;
											E00408A61(_t563 - 0x4c,  *(_t563 + 8));
											_t547 = 0;
											__eflags =  *(_t563 + 8);
											if( *(_t563 + 8) <= 0) {
												L102:
												_t557 = _t556[0x1d];
												 *((intOrPtr*)(_t563 - 0x24)) =  *((intOrPtr*)(_t563 + 0x64));
												_t558 =  *((intOrPtr*)( *_t557 + 0xc))(_t557,  *((intOrPtr*)(_t563 - 0x40)), 0,  *(_t563 + 8), _t563 - 0x24, 0, 1,  *((intOrPtr*)(_t563 + 0x68)));
												 *(_t563 - 4) = 4;
												E00408BC5(_t563 - 0x4c);
												goto L27;
											} else {
												goto L101;
											}
											do {
												L101:
												E0040105E(_t563 - 0x4c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0xc)) + _t547 * 4)))));
												_t547 = _t547 + 1;
												__eflags = _t547 -  *(_t563 + 8);
											} while (_t547 <  *(_t563 + 8));
											goto L102;
										} else {
											_t558 = 0;
											goto L27;
										}
									}
									 *((intOrPtr*)(_t563 + 0x20)) = 0;
									do {
										 *(_t563 + 0x3c) =  *( *((intOrPtr*)( *(_t563 + 0x60) + 0xc)) +  *(_t563 + 0x2c) * 4);
										_t547 =  *( *((intOrPtr*)(_t563 + 0x20)) + _t556[0x21]);
										 *(_t563 + 0x24) = 0;
										_t355 =  *_t547;
										 *(_t563 - 4) = 8;
										 *((intOrPtr*)( *_t355))(_t355, 0x424064, _t563 + 0x24);
										_t357 =  *(_t563 + 0x24);
										__eflags = _t357;
										if(_t357 == 0) {
											L51:
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(_t357 != 0) {
												 *((intOrPtr*)( *_t357 + 8))(_t357);
											}
											 *(_t563 + 0x44) = 0;
											_t547 =  *_t547;
											 *(_t563 - 4) = 9;
											 *( *_t547)(_t547, 0x4240e4, _t563 + 0x44);
											_t360 =  *(_t563 + 0x44);
											__eflags = _t360;
											if(_t360 == 0) {
												L61:
												 *(_t563 - 4) = 4;
												__eflags = _t360;
												if(_t360 != 0) {
													 *((intOrPtr*)( *_t360 + 8))(_t360);
												}
												_t361 =  *(_t563 + 0x3c);
												_t549 =  *(_t361 + 0x18);
												_t478 = 4;
												 *((intOrPtr*)(_t563 + 0x20)) =  *((intOrPtr*)(_t563 + 0x20)) + _t478;
												 *(_t563 + 0x40) =  *(_t361 + 0x14);
												 *((intOrPtr*)(_t563 - 0x1c)) = 0;
												 *((intOrPtr*)(_t563 - 0x18)) = 0;
												 *((intOrPtr*)(_t563 - 0x14)) = 0;
												 *((intOrPtr*)(_t563 - 0x10)) = _t478;
												 *((intOrPtr*)(_t563 - 0x20)) = 0x423390;
												 *((intOrPtr*)(_t563 - 0x34)) = 0;
												 *((intOrPtr*)(_t563 - 0x30)) = 0;
												 *((intOrPtr*)(_t563 - 0x2c)) = 0;
												 *((intOrPtr*)(_t563 - 0x28)) = _t478;
												 *((intOrPtr*)(_t563 - 0x38)) = 0x423390;
												 *(_t563 - 4) = 0xe;
												E00408A61(_t563 - 0x20,  *(_t361 + 0x14));
												E00408A61(_t563 - 0x38, _t549);
												__eflags = _t549;
												if(_t549 <= 0) {
													_t547 =  *(_t563 + 0x60);
													goto L81;
												} else {
													 *(_t563 + 0x3c) = _t549;
													_t547 =  *(_t563 + 0x60);
													do {
														E0040105E(_t563 - 0x38,  *((intOrPtr*)(_t547 + 0x48)) +  *(_t563 + 0x30) * 8);
														 *(_t563 + 0x30) =  *(_t563 + 0x30) + 1;
														_t221 = _t563 + 0x3c;
														 *_t221 =  *(_t563 + 0x3c) - 1;
														__eflags =  *_t221;
													} while ( *_t221 != 0);
													L81:
													 *(_t563 + 0x3c) = 0;
													__eflags =  *(_t563 + 0x40);
													if( *(_t563 + 0x40) <= 0) {
														goto L87;
													} else {
														goto L82;
													}
													do {
														L82:
														_t369 = E00401237(_t547,  *(_t563 + 0x34));
														__eflags = _t369;
														if(_t369 < 0) {
															_t370 = E00401282(_t547,  *(_t563 + 0x34));
															__eflags = _t370;
															if(_t370 < 0) {
																 *(_t563 - 4) = 0xd;
																E00408BC5(_t563 - 0x38);
																 *(_t563 - 4) = 4;
																E00408BC5(_t563 - 0x20);
																goto L94;
															}
															_t488 =  *((intOrPtr*)(_t563 + 0x5c));
															goto L86;
														}
														_t370 =  *( *((intOrPtr*)(_t547 + 0x20)) + 4 + _t369 * 8);
														_t488 =  *((intOrPtr*)(_t547 + 0x48));
														L86:
														E0040105E(_t563 - 0x20, _t488 + _t370 * 8);
														 *(_t563 + 0x3c) =  *(_t563 + 0x3c) + 1;
														 *(_t563 + 0x34) =  &(( *(_t563 + 0x34))[0]);
														__eflags =  *(_t563 + 0x3c) -  *(_t563 + 0x40);
													} while ( *(_t563 + 0x3c) <  *(_t563 + 0x40));
													goto L87;
												}
											} else {
												_t494 =  *(_t563 + 0x6c);
												__eflags = _t494;
												if(__eflags == 0) {
													 *(_t563 - 4) = 4;
													 *((intOrPtr*)( *_t360 + 8))(_t360);
													L94:
													_t558 = 0x80004005;
													goto L27;
												}
												 *(_t563 + 0x38) = 0;
												 *(_t563 - 4) = 0xa;
												_t547 =  *((intOrPtr*)( *_t494 + 0xc))(_t494, _t563 + 0x38);
												__eflags = _t547;
												if(_t547 != 0) {
													L95:
													__imp__#6( *(_t563 + 0x38));
													_t383 =  *(_t563 + 0x44);
													 *(_t563 - 4) = 4;
													__eflags = _t383;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t383 + 8))(_t383);
													}
													_t558 = _t547;
													goto L27;
												}
												 *((intOrPtr*)(_t563 + 0x14)) = 0x423364;
												 *((intOrPtr*)(_t563 + 0x18)) = 0;
												 *(_t563 + 0x1c) = 0;
												 *(_t563 - 4) = 0xb;
												 *((char*)( *((intOrPtr*)(_t563 + 0x70)))) = 1;
												E00401647(_t563 - 0x58, _t563,  *(_t563 + 0x38));
												_t551 =  *(_t563 - 0x54);
												 *(_t563 - 4) = 0xc;
												 *(_t563 + 0x40) = _t551 + _t551;
												E0040140A(_t563 + 0x14, _t563, _t551 + _t551);
												__eflags = _t551;
												if(__eflags <= 0) {
													L59:
													_t389 =  *(_t563 + 0x44);
													_t390 =  *((intOrPtr*)( *_t389 + 0xc))(_t389,  *(_t563 + 0x1c),  *(_t563 + 0x40));
													_push( *((intOrPtr*)(_t563 - 0x58)));
													_t547 = _t390;
													L00408BFB(0, _t547, _t556, __eflags);
													_push( *(_t563 + 0x1c));
													__eflags = _t547;
													if(__eflags != 0) {
														L00408BFB(0, _t547, _t556, __eflags);
														goto L95;
													}
													 *((intOrPtr*)(_t563 + 0x14)) = 0x423364;
													L00408BFB(0, _t547, _t556, __eflags);
													__imp__#6( *(_t563 + 0x38));
													_t360 =  *(_t563 + 0x44);
													goto L61;
												}
												_t504 =  *(_t563 + 0x1c);
												_t543 =  *((intOrPtr*)(_t563 - 0x58)) - _t504;
												__eflags = _t543;
												do {
													_t394 =  *(_t504 + _t543) & 0x0000ffff;
													 *_t504 = _t394;
													_t504[0] = _t394 >> 8;
													_t504 =  &(_t504[0]);
													_t551 = _t551 - 1;
													__eflags = _t551;
												} while (__eflags != 0);
												goto L59;
											}
										}
										_t508 =  *( *(_t563 + 0x3c) + 0xc);
										 *(_t563 + 0x40) = _t508;
										__eflags = _t508 - 0xffffffff;
										if(__eflags > 0) {
											 *(_t563 - 4) = 4;
											L79:
											 *((intOrPtr*)( *_t357 + 8))(_t357);
											L77:
											_t558 = 0x80004001;
											goto L27;
										}
										_t398 =  *((intOrPtr*)( *_t357 + 0xc))(_t357,  *((intOrPtr*)( *(_t563 + 0x3c) + 0x10)),  *(_t563 + 0x40));
										 *(_t563 + 0x40) = _t398;
										__eflags = _t398;
										_t357 =  *(_t563 + 0x24);
										if(_t398 != 0) {
											L70:
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t357 + 8))(_t357);
											}
											_t558 =  *(_t563 + 0x40);
											goto L27;
										}
										goto L51;
										L87:
										_t550 =  *(_t563 + 0x2c);
										 *((intOrPtr*)( *(_t556[0x1c]) + 8))(_t550,  *((intOrPtr*)(_t563 - 0x14)),  *((intOrPtr*)(_t563 - 0x2c)));
										 *(_t563 - 4) = 0xd;
										E00408BC5(_t563 - 0x38);
										 *(_t563 - 4) = 4;
										E00408BC5(_t563 - 0x20);
										_t547 = _t550 + 1;
										__eflags = _t547 -  *(_t563 + 0x28);
										 *(_t563 + 0x2c) = _t547;
									} while (_t547 <  *(_t563 + 0x28));
									goto L88;
								} else {
									goto L29;
								}
								while(1) {
									L29:
									_t547 =  *( *((intOrPtr*)( *(_t563 + 0x60) + 0xc)) +  *(_t563 + 0x44) * 4);
									 *(_t563 + 0x58) = 0;
									 *(_t563 + 0x50) = 0;
									_push(0);
									_push(_t563 + 0x50);
									_push(_t563 + 0x58);
									_push( *((intOrPtr*)(_t547 + 4)));
									 *(_t563 - 4) = 6;
									_push( *_t547);
									_t404 = E00409D4D( *(_t563 + 0x44), _t556, __eflags);
									 *(_t563 + 0x40) = _t404;
									__eflags = _t404;
									if(_t404 != 0) {
										break;
									}
									 *(_t563 + 0x38) = 0;
									__eflags =  *((intOrPtr*)(_t547 + 0x14)) - 1;
									 *(_t563 - 4) = 7;
									if( *((intOrPtr*)(_t547 + 0x14)) != 1) {
										L35:
										__eflags =  *(_t563 + 0x50);
										if( *(_t563 + 0x50) == 0) {
											_t357 =  *(_t563 + 0x58);
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(__eflags == 0) {
												goto L77;
											}
											goto L79;
										}
										E00406200(_t563 + 0x38,  *(_t563 + 0x50));
										__eflags = _t556[0x1a];
										if(__eflags != 0) {
											E00406D8E(_t556[0x1b], _t563, __eflags,  *(_t563 + 0x50));
										}
										L38:
										_push(_t563 + 0x38);
										E004014BA(0,  &(_t556[0x1e]), _t547, _t556, __eflags);
										_t410 =  *(_t563 + 0x38);
										 *(_t563 - 4) = 6;
										__eflags = _t410;
										if(_t410 != 0) {
											 *((intOrPtr*)( *_t410 + 8))(_t410);
										}
										_t411 =  *(_t563 + 0x50);
										 *(_t563 - 4) = 5;
										__eflags = _t411;
										if(_t411 != 0) {
											 *((intOrPtr*)( *_t411 + 8))(_t411);
										}
										_t412 =  *(_t563 + 0x58);
										 *(_t563 - 4) = 4;
										__eflags = _t412;
										if(_t412 != 0) {
											 *((intOrPtr*)( *_t412 + 8))(_t412);
										}
										 *(_t563 + 0x44) =  *(_t563 + 0x44) + 1;
										__eflags =  *(_t563 + 0x44) -  *(_t563 + 0x28);
										if(__eflags < 0) {
											continue;
										} else {
											goto L45;
										}
									}
									__eflags =  *((intOrPtr*)(_t547 + 0x18)) - 1;
									if( *((intOrPtr*)(_t547 + 0x18)) != 1) {
										goto L35;
									}
									_t521 =  *(_t563 + 0x58);
									__eflags = _t521;
									if(_t521 == 0) {
										_t418 =  *(_t563 + 0x50);
										 *(_t563 - 4) = 5;
										__eflags = _t418;
										if(_t418 != 0) {
											 *((intOrPtr*)( *_t418 + 8))(_t418);
											_t521 =  *(_t563 + 0x58);
										}
										 *(_t563 - 4) = 4;
										__eflags = _t521;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t521 + 8))(_t521);
										}
										goto L77;
									}
									E00406200(_t563 + 0x38, _t521);
									__eflags = _t556[0x1a];
									if(__eflags != 0) {
										E00406D69(_t556[0x1b], _t563, __eflags,  *(_t563 + 0x58));
									}
									goto L38;
								}
								_t405 =  *(_t563 + 0x50);
								 *(_t563 - 4) = 5;
								__eflags = _t405;
								if(_t405 != 0) {
									 *((intOrPtr*)( *_t405 + 8))(_t405);
								}
								_t357 =  *(_t563 + 0x58);
								goto L70;
							} else {
								_t558 = _t329;
								L27:
								 *(_t563 - 4) = 1;
								E0040136C(0, _t563 - 0xd8, _t547, _t558, __eflags);
								 *(_t563 - 4) = 0;
								E004013EF(_t563 - 0x74);
								 *(_t563 - 4) =  *(_t563 - 4) | 0xffffffff;
								E00401489(0, _t563, _t547, _t558, __eflags);
								_t346 = _t558;
								goto L2;
							}
						}
						_t547 =  &(_t556[1]);
						_t429 = E004012A6(_t457,  &(_t556[1]), _t563 - 0xd8);
						_t556 =  *(_t563 + 0x34);
						asm("sbb al, al");
						__eflags =  ~_t429 + 1;
						if( ~_t429 + 1 == 0) {
							goto L46;
						}
						goto L17;
					} else {
						goto L4;
					}
					do {
						L4:
						_t432 = E00408BD0(0, _t545, __eflags, 0x18);
						__eflags = _t432;
						if(_t432 == 0) {
							_t561 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t432 + 4)) = 0;
							 *_t432 = 0x423334;
							_t561 = _t432;
						}
						E0040222C(_t563 + 0x30, _t561);
						 *((intOrPtr*)(_t561 + 8)) = _t563 - 0x74;
						 *((intOrPtr*)(_t561 + 0x10)) =  *((intOrPtr*)(_t563 + 0x54));
						 *(_t561 + 0x14) =  *(_t563 + 0x58);
						_t553 =  *((intOrPtr*)(_t563 + 0x5c)) +  *(_t563 + 0x50) * 8;
						 *((intOrPtr*)(_t563 + 0x54)) =  *((intOrPtr*)(_t563 + 0x54)) +  *_t553;
						asm("adc [ebp+0x58], eax");
						 *(_t563 - 4) = 2;
						_t440 = E00408BD0(0, _t553, __eflags, 0x28);
						__eflags = _t440;
						if(_t440 == 0) {
							_t562 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t440 + 4)) = 0;
							 *_t440 = 0x4233a8;
							 *((intOrPtr*)(_t440 + 8)) = 0;
							_t562 = _t440;
						}
						E0040222C(_t563 + 0x2c, _t562);
						_t37 = _t562 + 8; // 0x8
						 *(_t563 - 4) = 3;
						E00406200(_t37,  *(_t563 + 0x30));
						_t545 =  *((intOrPtr*)(_t553 + 4));
						 *((intOrPtr*)(_t562 + 0x10)) =  *_t553;
						_push(_t563 + 0x2c);
						 *((intOrPtr*)(_t562 + 0x14)) =  *((intOrPtr*)(_t553 + 4));
						 *((intOrPtr*)(_t562 + 0x18)) = 0;
						 *((intOrPtr*)(_t562 + 0x1c)) = 0;
						 *((char*)(_t562 + 0x20)) = 0;
						E004014BA(0, _t563,  *((intOrPtr*)(_t553 + 4)), _t562, __eflags);
						_t446 =  *(_t563 + 0x2c);
						 *(_t563 - 4) = 2;
						__eflags = _t446;
						if(_t446 != 0) {
							 *((intOrPtr*)( *_t446 + 8))(_t446);
						}
						_t447 =  *(_t563 + 0x30);
						 *(_t563 - 4) = 1;
						__eflags = _t447;
						if(_t447 != 0) {
							 *((intOrPtr*)( *_t447 + 8))(_t447);
						}
						 *(_t563 + 0x50) =  *(_t563 + 0x50) + 1;
						__eflags =  *(_t563 + 0x50) -  *((intOrPtr*)( *(_t563 + 0x60) + 0x30));
					} while (__eflags < 0);
					goto L15;
				} else {
					_t346 = 0x80004001;
					L2:
					 *[fs:0x0] =  *((intOrPtr*)(_t563 - 0xc));
					return _t346;
				}
			}



















































                                                            0x00401adb
                                                            0x00401adb
                                                            0x00401adf
                                                            0x00401ae9
                                                            0x00401aee
                                                            0x00401af1
                                                            0x00401afd
                                                            0x00401b1e
                                                            0x00401b20
                                                            0x00401b23
                                                            0x00401b26
                                                            0x00401b29
                                                            0x00401b30
                                                            0x00401b3a
                                                            0x00401b3b
                                                            0x00401b3e
                                                            0x00401b41
                                                            0x00401b4c
                                                            0x00401b50
                                                            0x00401b58
                                                            0x00401b5a
                                                            0x00401b5d
                                                            0x00401c3b
                                                            0x00401c41
                                                            0x00401c47
                                                            0x00401c4a
                                                            0x00401c56
                                                            0x00401c5a
                                                            0x00401c5f
                                                            0x00401c62
                                                            0x00401c64
                                                            0x00401c85
                                                            0x00401c88
                                                            0x00401c8d
                                                            0x00401c92
                                                            0x00401c97
                                                            0x00401c9a
                                                            0x00401ca1
                                                            0x00401ca7
                                                            0x00401ca9
                                                            0x00401cb4
                                                            0x00401cb4
                                                            0x00401cab
                                                            0x00401cad
                                                            0x00401cad
                                                            0x00401cb9
                                                            0x00401cbc
                                                            0x00401cc1
                                                            0x00401cc4
                                                            0x00401cc6
                                                            0x00401ccd
                                                            0x00401ccd
                                                            0x00401cc8
                                                            0x00401cc8
                                                            0x00401cc8
                                                            0x00401ccf
                                                            0x00401ccf
                                                            0x00401cde
                                                            0x00401ce0
                                                            0x00401ce2
                                                            0x00401d13
                                                            0x00401d16
                                                            0x00401d19
                                                            0x00401dfe
                                                            0x00401e08
                                                            0x00401e0d
                                                            0x00401e10
                                                            0x00401e15
                                                            0x00401e18
                                                            0x00401e1b
                                                            0x00401e1e
                                                            0x00401e21
                                                            0x00401e24
                                                            0x004020f6
                                                            0x0040210c
                                                            0x00402111
                                                            0x00402114
                                                            0x0040211c
                                                            0x0040211c
                                                            0x0040211f
                                                            0x00402122
                                                            0x0040218c
                                                            0x0040218f
                                                            0x00402192
                                                            0x00402195
                                                            0x0040219c
                                                            0x004021a9
                                                            0x004021ad
                                                            0x004021b2
                                                            0x004021b4
                                                            0x004021b7
                                                            0x004021cf
                                                            0x004021d5
                                                            0x004021e2
                                                            0x004021f2
                                                            0x004021f4
                                                            0x004021f8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004021b9
                                                            0x004021b9
                                                            0x004021c4
                                                            0x004021c9
                                                            0x004021ca
                                                            0x004021ca
                                                            0x00000000
                                                            0x00402124
                                                            0x00402124
                                                            0x00000000
                                                            0x00402124
                                                            0x00402122
                                                            0x00401e2a
                                                            0x00401e2d
                                                            0x00401e3c
                                                            0x00401e45
                                                            0x00401e48
                                                            0x00401e4b
                                                            0x00401e59
                                                            0x00401e5d
                                                            0x00401e5f
                                                            0x00401e62
                                                            0x00401e64
                                                            0x00401e96
                                                            0x00401e96
                                                            0x00401e9a
                                                            0x00401e9c
                                                            0x00401ea1
                                                            0x00401ea1
                                                            0x00401ea4
                                                            0x00401ea7
                                                            0x00401eb5
                                                            0x00401eb9
                                                            0x00401ebb
                                                            0x00401ebe
                                                            0x00401ec0
                                                            0x00401f7f
                                                            0x00401f7f
                                                            0x00401f83
                                                            0x00401f85
                                                            0x00401f8a
                                                            0x00401f8a
                                                            0x00401f8d
                                                            0x00401f93
                                                            0x00401f98
                                                            0x00401f99
                                                            0x00401fa1
                                                            0x00401fa4
                                                            0x00401fa7
                                                            0x00401faa
                                                            0x00401fad
                                                            0x00401fb0
                                                            0x00401fb3
                                                            0x00401fb6
                                                            0x00401fb9
                                                            0x00401fbc
                                                            0x00401fbf
                                                            0x00401fc6
                                                            0x00401fca
                                                            0x00401fd3
                                                            0x00401fd8
                                                            0x00401fda
                                                            0x0040206b
                                                            0x00000000
                                                            0x00401fe0
                                                            0x00401fe0
                                                            0x00401fe3
                                                            0x00401fe6
                                                            0x00401ff3
                                                            0x00401ff8
                                                            0x00401ffb
                                                            0x00401ffb
                                                            0x00401ffb
                                                            0x00401ffb
                                                            0x0040206e
                                                            0x0040206e
                                                            0x00402071
                                                            0x00402074
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00402076
                                                            0x00402076
                                                            0x0040207b
                                                            0x00402080
                                                            0x00402082
                                                            0x00402095
                                                            0x0040209a
                                                            0x0040209c
                                                            0x00402175
                                                            0x00402179
                                                            0x00402181
                                                            0x00402185
                                                            0x00000000
                                                            0x00402185
                                                            0x004020a2
                                                            0x00000000
                                                            0x004020a2
                                                            0x00402087
                                                            0x0040208b
                                                            0x004020a5
                                                            0x004020ac
                                                            0x004020b1
                                                            0x004020b7
                                                            0x004020ba
                                                            0x004020ba
                                                            0x00000000
                                                            0x00402076
                                                            0x00401ec6
                                                            0x00401ec6
                                                            0x00401ec9
                                                            0x00401ecb
                                                            0x00402137
                                                            0x0040213b
                                                            0x0040213e
                                                            0x0040213e
                                                            0x00000000
                                                            0x0040213e
                                                            0x00401ed1
                                                            0x00401edb
                                                            0x00401ee2
                                                            0x00401ee4
                                                            0x00401ee6
                                                            0x00402148
                                                            0x0040214b
                                                            0x00402151
                                                            0x00402154
                                                            0x00402158
                                                            0x0040215a
                                                            0x0040215f
                                                            0x0040215f
                                                            0x00402162
                                                            0x00000000
                                                            0x00402162
                                                            0x00401eec
                                                            0x00401ef3
                                                            0x00401ef6
                                                            0x00401f02
                                                            0x00401f06
                                                            0x00401f09
                                                            0x00401f0e
                                                            0x00401f18
                                                            0x00401f1c
                                                            0x00401f1f
                                                            0x00401f24
                                                            0x00401f26
                                                            0x00401f41
                                                            0x00401f44
                                                            0x00401f4d
                                                            0x00401f50
                                                            0x00401f53
                                                            0x00401f55
                                                            0x00401f5a
                                                            0x00401f5d
                                                            0x00401f5f
                                                            0x00402169
                                                            0x00000000
                                                            0x0040216f
                                                            0x00401f65
                                                            0x00401f6c
                                                            0x00401f76
                                                            0x00401f7c
                                                            0x00000000
                                                            0x00401f7c
                                                            0x00401f28
                                                            0x00401f2e
                                                            0x00401f2e
                                                            0x00401f30
                                                            0x00401f30
                                                            0x00401f34
                                                            0x00401f39
                                                            0x00401f3d
                                                            0x00401f3e
                                                            0x00401f3e
                                                            0x00401f3e
                                                            0x00000000
                                                            0x00401f30
                                                            0x00401ec0
                                                            0x00401e69
                                                            0x00401e6c
                                                            0x00401e6f
                                                            0x00401e72
                                                            0x0040212b
                                                            0x00402063
                                                            0x00402066
                                                            0x0040204e
                                                            0x0040204e
                                                            0x00000000
                                                            0x0040204e
                                                            0x00401e85
                                                            0x00401e88
                                                            0x00401e8b
                                                            0x00401e8d
                                                            0x00401e90
                                                            0x00402016
                                                            0x00402016
                                                            0x0040201a
                                                            0x0040201c
                                                            0x00402021
                                                            0x00402021
                                                            0x00402024
                                                            0x00000000
                                                            0x00402024
                                                            0x00000000
                                                            0x004020bf
                                                            0x004020c8
                                                            0x004020ce
                                                            0x004020d4
                                                            0x004020d8
                                                            0x004020e0
                                                            0x004020e4
                                                            0x004020e9
                                                            0x004020ea
                                                            0x004020ed
                                                            0x004020ed
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00401d1f
                                                            0x00401d1f
                                                            0x00401d28
                                                            0x00401d2b
                                                            0x00401d2e
                                                            0x00401d31
                                                            0x00401d35
                                                            0x00401d39
                                                            0x00401d3a
                                                            0x00401d3d
                                                            0x00401d41
                                                            0x00401d43
                                                            0x00401d48
                                                            0x00401d4b
                                                            0x00401d4d
                                                            0x00000000
                                                            0x00000000
                                                            0x00401d53
                                                            0x00401d56
                                                            0x00401d5a
                                                            0x00401d5e
                                                            0x00401d8c
                                                            0x00401d8c
                                                            0x00401d8f
                                                            0x00402058
                                                            0x0040205b
                                                            0x0040205f
                                                            0x00402061
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00402061
                                                            0x00401d9b
                                                            0x00401da0
                                                            0x00401da3
                                                            0x00401dab
                                                            0x00401dab
                                                            0x00401db0
                                                            0x00401db3
                                                            0x00401db7
                                                            0x00401dbc
                                                            0x00401dbf
                                                            0x00401dc3
                                                            0x00401dc5
                                                            0x00401dca
                                                            0x00401dca
                                                            0x00401dcd
                                                            0x00401dd0
                                                            0x00401dd4
                                                            0x00401dd6
                                                            0x00401ddb
                                                            0x00401ddb
                                                            0x00401dde
                                                            0x00401de1
                                                            0x00401de5
                                                            0x00401de7
                                                            0x00401dec
                                                            0x00401dec
                                                            0x00401def
                                                            0x00401df5
                                                            0x00401df8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00401df8
                                                            0x00401d60
                                                            0x00401d64
                                                            0x00000000
                                                            0x00000000
                                                            0x00401d66
                                                            0x00401d69
                                                            0x00401d6b
                                                            0x0040202c
                                                            0x0040202f
                                                            0x00402033
                                                            0x00402035
                                                            0x0040203a
                                                            0x0040203d
                                                            0x0040203d
                                                            0x00402040
                                                            0x00402044
                                                            0x00402046
                                                            0x0040204b
                                                            0x0040204b
                                                            0x00000000
                                                            0x00402046
                                                            0x00401d75
                                                            0x00401d7a
                                                            0x00401d7d
                                                            0x00401d85
                                                            0x00401d85
                                                            0x00000000
                                                            0x00401d7d
                                                            0x00402002
                                                            0x00402005
                                                            0x00402009
                                                            0x0040200b
                                                            0x00402010
                                                            0x00402010
                                                            0x00402013
                                                            0x00000000
                                                            0x00401ce4
                                                            0x00401ce4
                                                            0x00401ce6
                                                            0x00401cec
                                                            0x00401cf0
                                                            0x00401cf8
                                                            0x00401cfb
                                                            0x00401d00
                                                            0x00401d07
                                                            0x00401d0c
                                                            0x00000000
                                                            0x00401d0c
                                                            0x00401ce2
                                                            0x00401c68
                                                            0x00401c71
                                                            0x00401c76
                                                            0x00401c7b
                                                            0x00401c7d
                                                            0x00401c7f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00401b63
                                                            0x00401b63
                                                            0x00401b65
                                                            0x00401b6b
                                                            0x00401b6d
                                                            0x00401b7c
                                                            0x00401b7c
                                                            0x00401b6f
                                                            0x00401b6f
                                                            0x00401b72
                                                            0x00401b78
                                                            0x00401b78
                                                            0x00401b82
                                                            0x00401b8d
                                                            0x00401b93
                                                            0x00401b99
                                                            0x00401b9f
                                                            0x00401ba4
                                                            0x00401bac
                                                            0x00401baf
                                                            0x00401bb3
                                                            0x00401bb9
                                                            0x00401bbb
                                                            0x00401bcd
                                                            0x00401bcd
                                                            0x00401bbd
                                                            0x00401bbd
                                                            0x00401bc0
                                                            0x00401bc6
                                                            0x00401bc9
                                                            0x00401bc9
                                                            0x00401bd3
                                                            0x00401bdb
                                                            0x00401bde
                                                            0x00401be2
                                                            0x00401be9
                                                            0x00401bec
                                                            0x00401bf2
                                                            0x00401bf6
                                                            0x00401bf9
                                                            0x00401bfc
                                                            0x00401bff
                                                            0x00401c02
                                                            0x00401c07
                                                            0x00401c0a
                                                            0x00401c0e
                                                            0x00401c10
                                                            0x00401c15
                                                            0x00401c15
                                                            0x00401c18
                                                            0x00401c1b
                                                            0x00401c1f
                                                            0x00401c21
                                                            0x00401c26
                                                            0x00401c26
                                                            0x00401c29
                                                            0x00401c32
                                                            0x00401c32
                                                            0x00000000
                                                            0x00401aff
                                                            0x00401aff
                                                            0x00401b04
                                                            0x00401b07
                                                            0x00401b16
                                                            0x00401b16

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00401AE9
                                                              • Part of subcall function 004041D7: __EH_prolog3.LIBCMT ref: 004041E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: d3B
                                                            • API String ID: 431132790-3693543266
                                                            • Opcode ID: d8afe6f6ff4891dc18ce29e9ffc2b2caf8244958c7e486e4a2347d26cb19dee7
                                                            • Instruction ID: fe56a826ab4fa0c4caee881864b3562cd941cd1960334c3267d892546610e000
                                                            • Opcode Fuzzy Hash: d8afe6f6ff4891dc18ce29e9ffc2b2caf8244958c7e486e4a2347d26cb19dee7
                                                            • Instruction Fuzzy Hash: 23424871900289DFCB14DFA4C984A9DBBB1BF08304F24446EF94AA73A1CB79EE45CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417ABB, Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1151 417abb-417acd 1152 417aeb-417b03 call 41871a call 41ae0d 1151->1152 1153 417acf-417ae9 call 41ad48 call 41b335 1151->1153 1163 417b05-417b27 call 418908 call 4187a8 1152->1163 1164 417b4f-417b59 call 4174de 1152->1164 1162 417b67-417b6a 1153->1162 1175 417b29 1163->1175 1176 417b2c-417b44 CreateThread 1163->1176 1170 417b64 1164->1170 1171 417b5b-417b63 call 41ad6e 1164->1171 1174 417b66 1170->1174 1171->1170 1174->1162 1175->1176 1176->1174 1178 417b46-417b4c GetLastError 1176->1178 1178->1164
                                                            C-Code - Quality: 73%
                                                            			E00417ABB(void* __edx, void* __esi, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				DWORD* _v8;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t20;
				DWORD* _t25;
				intOrPtr* _t27;
				char _t41;
				void* _t44;

				_t41 = _a12;
				_v8 = 0;
				_t48 = _t41;
				if(_t41 != 0) {
					_push(__esi);
					E0041871A();
					_t44 = E0041AE0D(1, 0x214);
					__eflags = _t44;
					if(__eflags == 0) {
						L7:
						_push(_t44);
						E004174DE(0, _t41, _t44, __eflags);
						__eflags = _v8;
						if(_v8 != 0) {
							E0041AD6E(_v8);
						}
						_t20 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, __edx, _t41, __eflags) + 0x6c)));
						_push(_t44);
						E004187A8(0, _t41, _t44, __eflags);
						 *(_t44 + 4) =  *(_t44 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t44 + 0x58)) = _a16;
						_t25 = _a24;
						 *((intOrPtr*)(_t44 + 0x54)) = _t41;
						__eflags = _t25;
						if(_t25 == 0) {
							_t25 =  &_a12;
						}
						_t20 = CreateThread(_a4, _a8, E00417A38, _t44, _a20, _t25); // executed
						__eflags = _t20;
						if(__eflags == 0) {
							_v8 = GetLastError();
							goto L7;
						}
					}
				} else {
					_t27 = E0041AD48(_t48);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t27 = 0x16;
					E0041B335(__edx, _t41, __esi);
					_t20 = 0;
				}
				return _t20;
			}












                                                            0x00417ac3
                                                            0x00417ac8
                                                            0x00417acb
                                                            0x00417acd
                                                            0x00417aeb
                                                            0x00417aec
                                                            0x00417afd
                                                            0x00417b01
                                                            0x00417b03
                                                            0x00417b4f
                                                            0x00417b4f
                                                            0x00417b50
                                                            0x00417b56
                                                            0x00417b59
                                                            0x00417b5e
                                                            0x00417b63
                                                            0x00417b64
                                                            0x00417b64
                                                            0x00417b05
                                                            0x00417b0a
                                                            0x00417b0d
                                                            0x00417b0e
                                                            0x00417b16
                                                            0x00417b1a
                                                            0x00417b1d
                                                            0x00417b22
                                                            0x00417b25
                                                            0x00417b27
                                                            0x00417b29
                                                            0x00417b29
                                                            0x00417b3c
                                                            0x00417b42
                                                            0x00417b44
                                                            0x00417b4c
                                                            0x00000000
                                                            0x00417b4c
                                                            0x00417b44
                                                            0x00417acf
                                                            0x00417acf
                                                            0x00417ad4
                                                            0x00417ad5
                                                            0x00417ad6
                                                            0x00417ad7
                                                            0x00417ad8
                                                            0x00417ad9
                                                            0x00417adf
                                                            0x00417ae7
                                                            0x00417ae7
                                                            0x00417b6a

                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 00417AEC
                                                            • __calloc_crt.LIBCMT ref: 00417AF8
                                                            • __getptd.LIBCMT ref: 00417B05
                                                            • CreateThread.KERNELBASE(?,?,00417A38,00000000,?,?), ref: 00417B3C
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417B46
                                                            • __dosmaperr.LIBCMT ref: 00417B5E
                                                              • Part of subcall function 0041AD48: __getptd_noexit.LIBCMT ref: 0041AD48
                                                              • Part of subcall function 0041B335: __decode_pointer.LIBCMT ref: 0041B340
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1803633139-0
                                                            • Opcode ID: bd57337042e369ada8254afdd92a6befe6d8931571a8e1857cc31b4486f3c813
                                                            • Instruction ID: 20030da27661398e7b4bd22b816fad984296ffe35ec401903591d51bcc064354
                                                            • Opcode Fuzzy Hash: bd57337042e369ada8254afdd92a6befe6d8931571a8e1857cc31b4486f3c813
                                                            • Instruction Fuzzy Hash: F111C872909204AFCB10BFA5DC828DF77B5EF04368B20402FF51597191DB79AA918B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004109DE, Relevance: 7.6, APIs: 5, Instructions: 53filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1179 4109de-410a0f call 416b21 CreateFileW 1182 410a11-410a2b call 40320a call 409876 1179->1182 1183 410a48-410a4e 1179->1183 1192 410a2d-410a3c CreateFileW 1182->1192 1193 410a3f-410a47 call 408bfb 1182->1193 1185 410a70-410a77 call 416bf9 1183->1185 1186 410a50-410a6a SetFileTime FindCloseChangeNotification 1183->1186 1186->1185 1192->1193 1193->1183
                                                            C-Code - Quality: 88%
                                                            			E004109DE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				int _t24;
				void* _t28;
				signed int _t33;
				void* _t39;
				void* _t40;

				_push(0x10);
				E00416B21(E00421C6C, __ebx, __edi, __esi);
				_t39 = CreateFileW;
				_t21 = CreateFileW( *(_t40 + 8), 0x40000000, 3, 0, 3, 0x2000000, 0); // executed
				 *(_t40 - 0x10) = _t21;
				_t42 = _t21 - 0xffffffff;
				if(_t21 == 0xffffffff) {
					E0040320A(_t40 - 0x1c);
					 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
					_t28 = E00409876(_t42,  *(_t40 + 8), _t40 - 0x1c);
					_t43 = _t28;
					if(_t28 != 0) {
						 *(_t40 - 0x10) = CreateFileW( *(_t40 - 0x1c), 0x40000000, 3, 0, 3, 0x2000000, 0);
					}
					_push( *(_t40 - 0x1c));
					L00408BFB(0x2000000, 0x40000000, _t39, _t43);
				}
				_t33 = 0;
				if( *(_t40 - 0x10) != 0xffffffff) {
					_t24 = SetFileTime( *(_t40 - 0x10),  *(_t40 + 0xc),  *(_t40 + 0x10),  *(_t40 + 0x14)); // executed
					_t33 = 0 | _t24 != 0x00000000;
					FindCloseChangeNotification( *(_t40 - 0x10)); // executed
				}
				return E00416BF9(_t33);
			}









                                                            0x004109de
                                                            0x004109e5
                                                            0x004109ea
                                                            0x00410a07
                                                            0x00410a09
                                                            0x00410a0c
                                                            0x00410a0f
                                                            0x00410a14
                                                            0x00410a19
                                                            0x00410a24
                                                            0x00410a29
                                                            0x00410a2b
                                                            0x00410a3c
                                                            0x00410a3c
                                                            0x00410a3f
                                                            0x00410a42
                                                            0x00410a47
                                                            0x00410a48
                                                            0x00410a4e
                                                            0x00410a5c
                                                            0x00410a67
                                                            0x00410a6a
                                                            0x00410a6a
                                                            0x00410a77

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 004109E5
                                                            • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,00000010), ref: 00410A07
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 00410A3A
                                                            • SetFileTime.KERNELBASE(000000FF,?,000000FF,?), ref: 00410A5C
                                                            • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00410A6A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: File$Create$ChangeCloseFindH_prolog3NotificationTime
                                                            • String ID:
                                                            • API String ID: 617186795-0
                                                            • Opcode ID: bc39a54a1b828aed2b943b5f512252c6bdd0e7999e1584c50203e6193bebcbfb
                                                            • Instruction ID: 3613f7cd525b14c886710ac5f4de7458b184cc3a0c0b6e5d5c1753a367fab2e1
                                                            • Opcode Fuzzy Hash: bc39a54a1b828aed2b943b5f512252c6bdd0e7999e1584c50203e6193bebcbfb
                                                            • Instruction Fuzzy Hash: E8118231940219BBDF119F60DC01FEE7B79AF04714F10852AB6206A1E1C7B99A51DB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004174DE, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1196 4174de-4174ef call 417b6c 1199 4174f1-4174f8 1196->1199 1200 417566-41756b call 417bb1 1196->1200 1201 4174fa-417512 call 419ea7 call 419eda 1199->1201 1202 41753d 1199->1202 1214 417514-41751c call 419f0a 1201->1214 1215 41751d-41752d call 417534 1201->1215 1204 41753e-41754e RtlFreeHeap 1202->1204 1204->1200 1207 417550-417565 call 41ad48 GetLastError call 41ad06 1204->1207 1207->1200 1214->1215 1215->1200 1221 41752f-417532 1215->1221 1221->1204
                                                            C-Code - Quality: 30%
                                                            			E004174DE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x42a450);
				_t8 = E00417B6C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E00417BB1(_t8);
				}
				if( *0x4342d8 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x430e7c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E0041AD48(_t31);
						 *_t10 = E0041AD06(GetLastError());
					}
					goto L9;
				}
				E00419EA7(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E00419EDA(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E00419F0A();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E00417534();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                                                            0x004174de
                                                            0x004174e0
                                                            0x004174e5
                                                            0x004174ea
                                                            0x004174ef
                                                            0x00417566
                                                            0x0041756b
                                                            0x0041756b
                                                            0x004174f8
                                                            0x0041753d
                                                            0x0041753e
                                                            0x0041753e
                                                            0x00417546
                                                            0x0041754c
                                                            0x0041754e
                                                            0x00417550
                                                            0x00417563
                                                            0x00417565
                                                            0x00000000
                                                            0x0041754e
                                                            0x004174fc
                                                            0x00417502
                                                            0x00417507
                                                            0x0041750d
                                                            0x00417512
                                                            0x00417514
                                                            0x00417515
                                                            0x00417516
                                                            0x0041751c
                                                            0x0041751d
                                                            0x00417524
                                                            0x0041752d
                                                            0x00000000
                                                            0x0041752f
                                                            0x0041752f
                                                            0x00000000
                                                            0x0041752f

                                                            APIs
                                                            • __lock.LIBCMT ref: 004174FC
                                                              • Part of subcall function 00419EA7: __mtinitlocknum.LIBCMT ref: 00419EBD
                                                              • Part of subcall function 00419EA7: __amsg_exit.LIBCMT ref: 00419EC9
                                                              • Part of subcall function 00419EA7: EnterCriticalSection.KERNEL32(?,?,?,004189B3,0000000D,0042A540,00000008,00417A97,?,00000000), ref: 00419ED1
                                                            • ___sbh_find_block.LIBCMT ref: 00417507
                                                            • ___sbh_free_block.LIBCMT ref: 00417516
                                                            • RtlFreeHeap.NTDLL(00000000,?,0042A450,0000000C,004188F9,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C), ref: 00417546
                                                            • GetLastError.KERNEL32(?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C,00419EC2,?,?,?,004189B3,0000000D), ref: 00417557
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                            • String ID:
                                                            • API String ID: 2714421763-0
                                                            • Opcode ID: b015da1727d326e449cd797088a92338f16aa03c9485e9cd3d673cd42b4f956c
                                                            • Instruction ID: 64add48afb761cb90f48c248a03a0627652d4b19cf23b5e5f4340693ef6873dd
                                                            • Opcode Fuzzy Hash: b015da1727d326e449cd797088a92338f16aa03c9485e9cd3d673cd42b4f956c
                                                            • Instruction Fuzzy Hash: BA018F31909305BADB20AF71AD0ABDE3A759F017A9F60015FF414A66D1CB3C9AC08A6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412324, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 87%
                                                            			E00412324(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct _CRITICAL_SECTION* _t25;
				intOrPtr* _t29;
				void* _t32;
				void* _t34;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t51;
				void* _t52;

				_push(4);
				E00416B21(E00421F0F, __ebx, __edi, __esi);
				_t51 = __ecx;
				_t25 = __ecx + 0x10;
				 *(_t52 - 0x10) = _t25;
				EnterCriticalSection(_t25);
				_t26 =  *((intOrPtr*)(_t52 + 8));
				_t38 =  *((intOrPtr*)(_t52 + 0xc));
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				 *((intOrPtr*)(_t51 + 0x38)) =  *((intOrPtr*)(_t52 + 0x10));
				 *((intOrPtr*)(_t51 + 0x30)) =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t51 + 0x34)) =  *((intOrPtr*)(_t52 + 0xc));
				 *((intOrPtr*)(_t51 + 0x3c)) =  *((intOrPtr*)(_t52 + 0x14));
				if( *0x430640 != 0) {
					_t48 = _t51 + 8;
					E00411C88(_t48, _t26, _t38);
					_t29 =  *0x430640; // 0x487e58
					 *((intOrPtr*)( *_t29 + 0x28))(_t29,  *_t51, 2);
					_t49 =  *0x430640; // 0x487e58
					_t45 =  *((intOrPtr*)(_t51 + 0x34));
					 *((intOrPtr*)(_t52 + 0xc)) =  *_t48;
					_t32 = E00417780( *((intOrPtr*)(_t51 + 0x30)),  *_t48, _t45);
					asm("cdq");
					_t46 =  *((intOrPtr*)(_t51 + 0x3c));
					_t34 = E00417780( *((intOrPtr*)(_t51 + 0x38)),  *((intOrPtr*)(_t52 + 0xc)), _t46);
					asm("cdq");
					_t26 =  *((intOrPtr*)( *_t49 + 0x24))(_t49,  *_t51, _t34, _t46, _t32, _t45);
				}
				LeaveCriticalSection( *(_t52 - 0x10));
				return E00416BF9(_t26);
			}













                                                            0x00412324
                                                            0x0041232b
                                                            0x00412330
                                                            0x00412332
                                                            0x00412336
                                                            0x00412339
                                                            0x00412342
                                                            0x00412345
                                                            0x00412348
                                                            0x0041234c
                                                            0x00412352
                                                            0x00412355
                                                            0x00412358
                                                            0x00412362
                                                            0x00412365
                                                            0x0041236b
                                                            0x00412370
                                                            0x0041237c
                                                            0x00412381
                                                            0x0041238a
                                                            0x0041238f
                                                            0x00412392
                                                            0x0041239a
                                                            0x0041239c
                                                            0x004123a3
                                                            0x004123a8
                                                            0x004123ae
                                                            0x004123ae
                                                            0x004123b4
                                                            0x004123bf

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0041232B
                                                            • EnterCriticalSection.KERNEL32(?,00000004), ref: 00412339
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 004123B4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterH_prolog3Leave
                                                            • String ID: X~H
                                                            • API String ID: 4250467438-1414872000
                                                            • Opcode ID: f1ca1d38278928531743cf0973599496185f1997b087bd932536968317e365bd
                                                            • Instruction ID: 7b34ac69ecfa62052499947f8b89ca965626569db3180aad90851b79160f7002
                                                            • Opcode Fuzzy Hash: f1ca1d38278928531743cf0973599496185f1997b087bd932536968317e365bd
                                                            • Instruction Fuzzy Hash: A71123B5200600AFC760DF65C985AAAB7F6BF88300B50992EF95A87B60C738F951CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004123C2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 85%
                                                            			E004123C2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct _CRITICAL_SECTION* _t23;
				intOrPtr* _t28;
				void* _t31;
				void* _t33;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				void* _t48;

				_push(4);
				E00416B21(E00421F0F, __ebx, __edi, __esi);
				_t47 = __ecx;
				_t23 = __ecx + 0x10;
				 *(_t48 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				 *((intOrPtr*)(_t47 + 0x38)) =  *((intOrPtr*)(_t48 + 8));
				_t25 =  *((intOrPtr*)(_t48 + 0xc));
				 *((intOrPtr*)(_t47 + 0x3c)) =  *((intOrPtr*)(_t48 + 0xc));
				if( *0x430640 != 0) {
					_t44 = _t47 + 8;
					E00411C88(_t44,  *((intOrPtr*)(_t47 + 0x30)),  *((intOrPtr*)(_t47 + 0x34)));
					_t28 =  *0x430640; // 0x487e58
					 *((intOrPtr*)( *_t28 + 0x28))(_t28,  *_t47, 2);
					_t45 =  *0x430640; // 0x487e58
					_t41 =  *((intOrPtr*)(_t47 + 0x34));
					 *((intOrPtr*)(_t48 + 0xc)) =  *_t44;
					_t31 = E00417780( *((intOrPtr*)(_t47 + 0x30)),  *_t44, _t41);
					asm("cdq");
					_t42 =  *((intOrPtr*)(_t47 + 0x3c));
					_t33 = E00417780( *((intOrPtr*)(_t47 + 0x38)),  *((intOrPtr*)(_t48 + 0xc)), _t42);
					asm("cdq");
					_t25 =  *((intOrPtr*)( *_t45 + 0x24))(_t45,  *_t47, _t33, _t42, _t31, _t41);
				}
				LeaveCriticalSection( *(_t48 - 0x10));
				return E00416BF9(_t25);
			}













                                                            0x004123c2
                                                            0x004123c9
                                                            0x004123ce
                                                            0x004123d0
                                                            0x004123d4
                                                            0x004123d7
                                                            0x004123e0
                                                            0x004123e4
                                                            0x004123e7
                                                            0x004123ea
                                                            0x004123f4
                                                            0x004123f9
                                                            0x00412401
                                                            0x00412406
                                                            0x00412412
                                                            0x00412417
                                                            0x00412420
                                                            0x00412425
                                                            0x00412428
                                                            0x00412430
                                                            0x00412432
                                                            0x00412439
                                                            0x0041243e
                                                            0x00412444
                                                            0x00412444
                                                            0x0041244a
                                                            0x00412455

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 004123C9
                                                            • EnterCriticalSection.KERNEL32(?,00000004), ref: 004123D7
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0041244A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterH_prolog3Leave
                                                            • String ID: X~H
                                                            • API String ID: 4250467438-1414872000
                                                            • Opcode ID: e44546212c9cd121f28e1859ac9352c8223e510be0f53fe4628133fed2ae9915
                                                            • Instruction ID: b8ab0e8a091e3454a54943d1fa2376730f801439e704a0f0635c4d72261d10eb
                                                            • Opcode Fuzzy Hash: e44546212c9cd121f28e1859ac9352c8223e510be0f53fe4628133fed2ae9915
                                                            • Instruction Fuzzy Hash: 4C112575200600EFCB61EF64C985AAAB7B6FF88300F50992EF95687A60C738F951CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410B45, Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1250 410b45-410b60 call 416b21 CreateDirectoryW 1253 410b62-410b64 1250->1253 1254 410b66-410b71 GetLastError 1250->1254 1255 410bb3-410bb8 call 416bf9 1253->1255 1256 410bb1 1254->1256 1257 410b73-410b8d call 40320a call 409876 1254->1257 1256->1255 1264 410ba8-410bb0 call 408bfb 1257->1264 1265 410b8f-410ba6 CreateDirectoryW call 408bfb 1257->1265 1264->1256 1265->1255
                                                            C-Code - Quality: 85%
                                                            			E00410B45(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t14;
				long _t15;
				signed int _t16;
				int _t22;
				signed int _t23;
				int _t31;
				void* _t32;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t14 = CreateDirectoryW( *(_t32 + 8), 0); // executed
				if(_t14 == 0) {
					_t15 = GetLastError();
					__eflags = _t15 - 0xb7;
					if(_t15 == 0xb7) {
						L6:
						_t16 = 0;
						__eflags = 0;
					} else {
						E0040320A(_t32 - 0x18);
						 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
						__eflags = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
						if(__eflags == 0) {
							_push( *(_t32 - 0x18));
							L00408BFB(__ebx, __edi, CreateDirectoryW, __eflags);
							goto L6;
						} else {
							_t22 = CreateDirectoryW( *(_t32 - 0x18), 0);
							_push( *(_t32 - 0x18));
							_t31 = _t22;
							_t23 = L00408BFB(__ebx, __edi, _t31, __eflags);
							__eflags = _t31;
							_t16 = _t23 & 0xffffff00 | _t31 != 0x00000000;
						}
					}
				} else {
					_t16 = 1;
				}
				return E00416BF9(_t16);
			}










                                                            0x00410b45
                                                            0x00410b4c
                                                            0x00410b5c
                                                            0x00410b60
                                                            0x00410b66
                                                            0x00410b6c
                                                            0x00410b71
                                                            0x00410bb1
                                                            0x00410bb1
                                                            0x00410bb1
                                                            0x00410b73
                                                            0x00410b76
                                                            0x00410b7b
                                                            0x00410b8b
                                                            0x00410b8d
                                                            0x00410ba8
                                                            0x00410bab
                                                            0x00000000
                                                            0x00410b8f
                                                            0x00410b94
                                                            0x00410b96
                                                            0x00410b99
                                                            0x00410b9b
                                                            0x00410ba0
                                                            0x00410ba3
                                                            0x00410ba3
                                                            0x00410b8d
                                                            0x00410b62
                                                            0x00410b62
                                                            0x00410b62
                                                            0x00410bb8

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410B4C
                                                            • CreateDirectoryW.KERNELBASE(?,00000000,0000000C), ref: 00410B5C
                                                            • GetLastError.KERNEL32 ref: 00410B66
                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00410B94
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$ErrorH_prolog3Last
                                                            • String ID:
                                                            • API String ID: 2304068239-0
                                                            • Opcode ID: 7a2c59161908c7af8dd5fbba20bf608b546bdd534924d1f9c24e27307d0436b8
                                                            • Instruction ID: 172f9d72519d5a2fa44a3033f577515c06ab2bcbe3982b179992f9fb810241dd
                                                            • Opcode Fuzzy Hash: 7a2c59161908c7af8dd5fbba20bf608b546bdd534924d1f9c24e27307d0436b8
                                                            • Instruction Fuzzy Hash: 60F08131904215ABDF10AB91CD02BEE7F319F10715F51406AAA00661E2CB78EAD2969D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004179BA, Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E004179BA(long _a4) {
				void* _t6;
				void* _t9;
				void* _t10;

				_t11 =  *0x4342fc;
				if( *0x4342fc != 0 && E0041AFE0(_t11, 0x4342fc) != 0) {
					 *0x4342fc();
				}
				if(E0041888F(_t6) != 0) {
					E00418A51(_t6, _t9, _t10, _t2); // executed
				}
				ExitThread(_a4);
			}






                                                            0x004179bf
                                                            0x004179c6
                                                            0x004179d7
                                                            0x004179d7
                                                            0x004179e4
                                                            0x004179e7
                                                            0x004179ec
                                                            0x004179f0

                                                            APIs
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004179CD
                                                              • Part of subcall function 0041AFE0: __FindPESection.LIBCMT ref: 0041B03B
                                                            • __getptd_noexit.LIBCMT ref: 004179DD
                                                            • __freeptd.LIBCMT ref: 004179E7
                                                            • ExitThread.KERNEL32 ref: 004179F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 3182216644-0
                                                            • Opcode ID: 248dff81f2ed47bffa5431741d82cf7db17d51ce89a6d991ca8d81712fb1923e
                                                            • Instruction ID: 74958c9a6b692f66c632ff5e924dfbe5784b6134d24ea96b71ae755472240e2c
                                                            • Opcode Fuzzy Hash: 248dff81f2ed47bffa5431741d82cf7db17d51ce89a6d991ca8d81712fb1923e
                                                            • Instruction Fuzzy Hash: D2D0C27010420557E7103BA7DC0EBE736686F403D0F94402BB404900A0DE2CECD1C92D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412970, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 335COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00412970() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t133;
				signed int _t134;
				signed int _t142;
				intOrPtr* _t144;
				intOrPtr _t146;
				intOrPtr* _t147;
				signed int _t148;
				intOrPtr* _t153;
				intOrPtr* _t156;
				signed int _t158;
				intOrPtr _t160;
				intOrPtr* _t179;
				intOrPtr _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				signed int _t196;
				intOrPtr* _t197;
				void* _t215;
				signed int _t216;
				signed int _t265;
				signed int _t267;
				intOrPtr* _t269;
				short* _t271;
				void* _t273;

				_t271 = _t273 - 0x68;
				_t269 =  *((intOrPtr*)(_t271 + 0x70));
				if(E00411CBC(_t269 + 0xc8) == 0) {
					E00402B01(_t269 + 0x50);
					 *(_t271 + 0x10) = 0;
					 *((short*)(_t271 + 0x12)) = 0;
					_t133 =  *((intOrPtr*)(_t269 + 0x10));
					_t134 =  *((intOrPtr*)( *_t133 + 0x18))(_t133,  *(_t271 + 0x74), 3, _t271 + 0x10, _t265, _t215);
					_t216 = 0;
					__eflags = _t134;
					if(_t134 == 0) {
						E0040320A(_t271 + 0x5c);
						__eflags =  *(_t271 + 0x10);
						if( *(_t271 + 0x10) != 0) {
							__eflags =  *(_t271 + 0x10) - 8;
							if(__eflags == 0) {
								E004090CA(_t271 + 0x5c, _t271,  *((intOrPtr*)(_t271 + 0x18)));
								goto L11;
							}
							goto L9;
						} else {
							E00408639(_t271 + 0x5c, _t271, _t269 + 0x54);
							L11:
							E00408639(_t269 + 0x20, _t271, _t271 + 0x5c);
							__eflags =  *((intOrPtr*)(_t271 + 0x7c)) - _t216;
							if(__eflags != 0) {
								 *( *(_t271 + 0x78)) = _t216;
								L42:
								_push( *((intOrPtr*)(_t271 + 0x5c)));
								L00408BFB(_t216, _t265, _t269, __eflags);
								goto L5;
							}
							 *(_t271 + 0x4c) = 0;
							 *((short*)(_t271 + 0x4e)) = 0;
							_t144 =  *((intOrPtr*)(_t269 + 0x10));
							_t267 =  *((intOrPtr*)( *_t144 + 0x18))(_t144,  *(_t271 + 0x74), 9, _t271 + 0x4c);
							__eflags = _t267 - _t216;
							if(_t267 == _t216) {
								__eflags =  *(_t271 + 0x4c) - _t216;
								if( *(_t271 + 0x4c) != _t216) {
									__eflags =  *(_t271 + 0x4c) - 0x13;
									if( *(_t271 + 0x4c) == 0x13) {
										_t146 =  *((intOrPtr*)(_t271 + 0x54));
										L19:
										 *((intOrPtr*)(_t269 + 0x48)) = _t146;
										_t147 =  *((intOrPtr*)(_t269 + 0x10));
										_t148 =  *((intOrPtr*)( *_t147 + 0x18))(_t147,  *(_t271 + 0x74), 6, _t271 + 0x4c);
										_t267 = _t148;
										__eflags = _t267 - _t216;
										if(_t267 != _t216) {
											goto L13;
										}
										__eflags =  *((intOrPtr*)(_t271 + 0x54)) - _t216;
										 *((char*)(_t269 + 0x44)) = _t148 & 0xffffff00 |  *((intOrPtr*)(_t271 + 0x54)) != _t216;
										 *_t271 = 0;
										 *((short*)(_t271 + 2)) = 0;
										_t153 =  *((intOrPtr*)(_t269 + 0x10));
										 *(_t271 + 0x73) = _t216;
										_t267 =  *((intOrPtr*)( *_t153 + 0x18))(_t153,  *(_t271 + 0x74), 0x15, _t271);
										__eflags = _t267 - _t216;
										if(_t267 == _t216) {
											__eflags =  *_t271 - 0xb;
											if( *_t271 == 0xb) {
												__eflags =  *((intOrPtr*)(_t271 + 8)) - _t216;
												_t51 = _t271 + 0x73;
												 *_t51 =  *((intOrPtr*)(_t271 + 8)) != _t216;
												__eflags =  *_t51;
											}
											E00409A4A(_t271);
											_t156 =  *((intOrPtr*)(_t269 + 0x10));
											_t264 = _t271 + 0x4c;
											_t267 =  *((intOrPtr*)( *_t156 + 0x18))(_t156,  *(_t271 + 0x74), 0xc, _t271 + 0x4c);
											__eflags = _t267 - _t216;
											if(_t267 != _t216) {
												goto L13;
											} else {
												_t158 =  *(_t271 + 0x4c) & 0x0000ffff;
												__eflags = _t158 - _t216;
												if(__eflags == 0) {
													_t265 = _t269 + 0x3c;
													 *_t265 =  *((intOrPtr*)(_t269 + 0x60));
													_t160 =  *((intOrPtr*)(_t269 + 0x64));
													L29:
													 *((intOrPtr*)(_t265 + 4)) = _t160;
													_push(_t271 + 0x2c);
													_push(_t271 + 0x5c);
													 *(_t271 + 0x30) = _t216;
													 *(_t271 + 0x34) = _t216;
													 *(_t271 + 0x38) = _t216;
													 *((intOrPtr*)(_t271 + 0x3c)) = 4;
													 *((intOrPtr*)(_t271 + 0x2c)) = 0x423798;
													E0040900B(_t216, _t264, _t265, _t269, __eflags);
													__eflags =  *(_t271 + 0x34) - _t216;
													if(__eflags != 0) {
														E00404082(_t271 + 0x20, _t271, _t271 + 0x5c);
														__eflags =  *((intOrPtr*)(_t269 + 0x44)) - _t216;
														if( *((intOrPtr*)(_t269 + 0x44)) == _t216) {
															E00408A40(_t271 + 0x2c);
														}
														__eflags =  *(_t271 + 0x34) - _t216;
														if(__eflags != 0) {
															__eflags =  *(_t271 + 0x73) - _t216;
															if(__eflags == 0) {
																_push(_t271 + 0x2c);
																E00412707(_t216, _t269, _t264, _t265, _t269, __eflags); // executed
															}
														}
														_push(_t271 + 0x20);
														_push(_t269 + 0x14);
														_push(_t271 + 0x40);
														E004096A4(_t216, _t265, _t269, __eflags);
														__eflags =  *((intOrPtr*)(_t269 + 0x44)) - _t216;
														if( *((intOrPtr*)(_t269 + 0x44)) == _t216) {
															E0040320A(_t271 - 0x10);
															_push( *((intOrPtr*)(_t271 + 0x40)));
															__eflags = E00409371(_t216, _t271 - 0x38, _t264, _t265, _t269, __eflags);
															if(__eflags == 0) {
																L51:
																__eflags =  *(_t271 + 0x73) - _t216;
																if(__eflags != 0) {
																	L62:
																	E00408639(_t269 + 0x2c, _t271, _t271 + 0x40);
																	_push( *((intOrPtr*)(_t271 - 0x10)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x40)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x20)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	goto L41;
																}
																_t179 = E00408BD0(_t216, _t265, __eflags, 0x18);
																__eflags = _t179 - _t216;
																if(_t179 == _t216) {
																	_t179 = 0;
																	__eflags = 0;
																} else {
																	 *(_t179 + 4) = _t216;
																	 *_t179 = 0x423eb0;
																	 *(_t179 + 8) =  *(_t179 + 8) | 0xffffffff;
																}
																 *((intOrPtr*)(_t269 + 0x4c)) = _t179;
																E0040222C(_t271 + 0x74, _t179);
																_t181 =  *((intOrPtr*)(_t269 + 0x4c));
																 *(_t181 + 0x10) = _t216;
																 *(_t181 + 0x14) = _t216;
																_t182 = E0040999D( *((intOrPtr*)(_t271 + 0x40)), 1);
																__eflags = _t182;
																if(_t182 != 0) {
																	L61:
																	_t265 =  *(_t271 + 0x74);
																	E00406200(_t269 + 0x50, _t265);
																	 *( *(_t271 + 0x78)) = _t265;
																	goto L62;
																} else {
																	__eflags =  *((intOrPtr*)(_t269 + 0x139)) - _t216;
																	if( *((intOrPtr*)(_t269 + 0x139)) == _t216) {
																		_t185 =  *0x430640; // 0x487e58
																		__eflags = _t185 - _t216;
																		if(_t185 != _t216) {
																			 *((intOrPtr*)( *_t185 + 0x28))(_t185,  *((intOrPtr*)(_t269 + 0x134)), 4);
																		}
																		goto L61;
																	}
																	E00408639(_t269 + 0x114, _t271, 0x4305c4);
																	_t188 =  *(_t271 + 0x74);
																	__eflags = _t188 - _t216;
																	if(__eflags != 0) {
																		 *((intOrPtr*)( *_t188 + 8))(_t188);
																	}
																	L50:
																	_push( *((intOrPtr*)(_t271 - 0x10)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x40)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x20)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	goto L30;
																}
															}
															_push( *((intOrPtr*)(_t271 + 0x40)));
															_t196 = E00410BBB(_t216, _t265, _t269, __eflags);
															__eflags = _t196;
															if(_t196 != 0) {
																goto L51;
															}
															__eflags =  *((intOrPtr*)(_t269 + 0x139)) - _t216;
															if( *((intOrPtr*)(_t269 + 0x139)) == _t216) {
																_t197 =  *0x430640; // 0x487e58
																__eflags = _t197 - _t216;
																if(__eflags != 0) {
																	 *((intOrPtr*)( *_t197 + 0x28))(_t197,  *((intOrPtr*)(_t269 + 0x134)), 4);
																}
																 *((intOrPtr*)( *((intOrPtr*)(_t269 + 0x70)) + 4))( *0x4305b8,  *0x4305ac, _t216);
															} else {
																E00408639(_t269 + 0x114, _t271, 0x4305b8);
															}
															goto L50;
														} else {
															_t269 = _t269 + 0x2c;
															E00408639(_t269, _t271, _t271 + 0x40);
															__eflags =  *(_t271 + 0x73) - _t216;
															if(__eflags == 0) {
																E004109DE(_t216, _t265, _t269, __eflags,  *_t269, _t216, _t216, _t265); // executed
															} else {
																_push( *_t269);
																E00410AE4(_t216, _t265, _t269, __eflags);
															}
															_push( *((intOrPtr*)(_t271 + 0x40)));
															L00408BFB(_t216, _t265, _t269, __eflags);
															_push( *((intOrPtr*)(_t271 + 0x20)));
															L00408BFB(_t216, _t265, _t269, __eflags);
															L41:
															E004085B9(_t216, _t271 + 0x2c, _t265, _t269, __eflags);
															E00409A4A(_t271 + 0x4c);
															goto L42;
														}
													}
													L30:
													E004085B9(_t216, _t271 + 0x2c, _t265, _t269, __eflags);
													goto L17;
												}
												__eflags = _t158 - 0x40;
												if(__eflags != 0) {
													goto L17;
												}
												_t265 = _t269 + 0x3c;
												 *_t265 =  *((intOrPtr*)(_t271 + 0x54));
												_t160 =  *((intOrPtr*)(_t271 + 0x58));
												goto L29;
											}
										}
										E00409A4A(_t271);
										goto L13;
									}
									L17:
									E00409A4A(_t271 + 0x4c);
									L9:
									_push( *((intOrPtr*)(_t271 + 0x5c)));
									L00408BFB(_t216, _t265, _t269, __eflags);
									_t216 = 0x80004005;
									goto L5;
								}
								_t146 =  *((intOrPtr*)(_t269 + 0x68));
								goto L19;
							}
							L13:
							E00409A4A(_t271 + 0x4c);
							_push( *((intOrPtr*)(_t271 + 0x5c)));
							L00408BFB(_t216, _t267, _t269, __eflags);
							_t216 = _t267;
							goto L5;
						}
					} else {
						_t216 = _t134;
						L5:
						E00409A4A(_t271 + 0x10);
						_t142 = _t216;
						goto L2;
					}
				} else {
					_t142 = 0x80004004;
					L2:
					return _t142;
				}
			}
































                                                            0x00412971
                                                            0x0041297c
                                                            0x0041298c
                                                            0x004129a0
                                                            0x004129b0
                                                            0x004129b4
                                                            0x004129b8
                                                            0x004129be
                                                            0x004129c1
                                                            0x004129c3
                                                            0x004129c5
                                                            0x004129da
                                                            0x004129df
                                                            0x004129e3
                                                            0x004129f3
                                                            0x004129f8
                                                            0x00412a10
                                                            0x00000000
                                                            0x00412a10
                                                            0x00000000
                                                            0x004129e5
                                                            0x004129ec
                                                            0x00412a15
                                                            0x00412a1c
                                                            0x00412a21
                                                            0x00412a24
                                                            0x00412d67
                                                            0x00412bfe
                                                            0x00412bfe
                                                            0x00412c01
                                                            0x00000000
                                                            0x00412c06
                                                            0x00412a35
                                                            0x00412a39
                                                            0x00412a3d
                                                            0x00412a46
                                                            0x00412a48
                                                            0x00412a4a
                                                            0x00412a64
                                                            0x00412a68
                                                            0x00412a6f
                                                            0x00412a74
                                                            0x00412a83
                                                            0x00412a86
                                                            0x00412a8f
                                                            0x00412a92
                                                            0x00412a98
                                                            0x00412a9b
                                                            0x00412a9d
                                                            0x00412a9f
                                                            0x00000000
                                                            0x00000000
                                                            0x00412aa1
                                                            0x00412aac
                                                            0x00412ab6
                                                            0x00412aba
                                                            0x00412abe
                                                            0x00412ac4
                                                            0x00412aca
                                                            0x00412acc
                                                            0x00412ace
                                                            0x00412add
                                                            0x00412ae2
                                                            0x00412ae4
                                                            0x00412ae8
                                                            0x00412ae8
                                                            0x00412ae8
                                                            0x00412ae8
                                                            0x00412aef
                                                            0x00412af4
                                                            0x00412af9
                                                            0x00412b06
                                                            0x00412b08
                                                            0x00412b0a
                                                            0x00000000
                                                            0x00412b10
                                                            0x00412b10
                                                            0x00412b14
                                                            0x00412b16
                                                            0x00412b31
                                                            0x00412b34
                                                            0x00412b36
                                                            0x00412b39
                                                            0x00412b39
                                                            0x00412b3f
                                                            0x00412b43
                                                            0x00412b44
                                                            0x00412b47
                                                            0x00412b4a
                                                            0x00412b4d
                                                            0x00412b54
                                                            0x00412b5b
                                                            0x00412b60
                                                            0x00412b63
                                                            0x00412b79
                                                            0x00412b7e
                                                            0x00412b81
                                                            0x00412b86
                                                            0x00412b86
                                                            0x00412b8b
                                                            0x00412b8e
                                                            0x00412b90
                                                            0x00412b93
                                                            0x00412b98
                                                            0x00412b9b
                                                            0x00412b9b
                                                            0x00412b93
                                                            0x00412ba3
                                                            0x00412ba7
                                                            0x00412bab
                                                            0x00412bac
                                                            0x00412bb1
                                                            0x00412bb4
                                                            0x00412c0f
                                                            0x00412c14
                                                            0x00412c1f
                                                            0x00412c21
                                                            0x00412c95
                                                            0x00412c95
                                                            0x00412c98
                                                            0x00412d38
                                                            0x00412d3f
                                                            0x00412d44
                                                            0x00412d47
                                                            0x00412d4c
                                                            0x00412d4f
                                                            0x00412d54
                                                            0x00412d57
                                                            0x00000000
                                                            0x00412d5c
                                                            0x00412ca0
                                                            0x00412ca6
                                                            0x00412ca8
                                                            0x00412cb9
                                                            0x00412cb9
                                                            0x00412caa
                                                            0x00412caa
                                                            0x00412cad
                                                            0x00412cb3
                                                            0x00412cb3
                                                            0x00412cbf
                                                            0x00412cc2
                                                            0x00412cca
                                                            0x00412cd3
                                                            0x00412cd6
                                                            0x00412cd9
                                                            0x00412cde
                                                            0x00412ce0
                                                            0x00412d27
                                                            0x00412d27
                                                            0x00412d2e
                                                            0x00412d36
                                                            0x00000000
                                                            0x00412ce2
                                                            0x00412ce2
                                                            0x00412ce8
                                                            0x00412d10
                                                            0x00412d15
                                                            0x00412d17
                                                            0x00412d24
                                                            0x00412d24
                                                            0x00000000
                                                            0x00412d17
                                                            0x00412cf5
                                                            0x00412cfa
                                                            0x00412cfd
                                                            0x00412cff
                                                            0x00412d08
                                                            0x00412d08
                                                            0x00412c75
                                                            0x00412c75
                                                            0x00412c78
                                                            0x00412c7d
                                                            0x00412c80
                                                            0x00412c85
                                                            0x00412c88
                                                            0x00000000
                                                            0x00412c8d
                                                            0x00412ce0
                                                            0x00412c23
                                                            0x00412c26
                                                            0x00412c2b
                                                            0x00412c2d
                                                            0x00000000
                                                            0x00000000
                                                            0x00412c2f
                                                            0x00412c35
                                                            0x00412c49
                                                            0x00412c4e
                                                            0x00412c50
                                                            0x00412c5d
                                                            0x00412c5d
                                                            0x00412c72
                                                            0x00412c37
                                                            0x00412c42
                                                            0x00412c42
                                                            0x00000000
                                                            0x00412bb6
                                                            0x00412bb9
                                                            0x00412bbf
                                                            0x00412bc4
                                                            0x00412bc7
                                                            0x00412bd7
                                                            0x00412bc9
                                                            0x00412bc9
                                                            0x00412bcb
                                                            0x00412bcb
                                                            0x00412bdc
                                                            0x00412bdf
                                                            0x00412be4
                                                            0x00412be7
                                                            0x00412bee
                                                            0x00412bf1
                                                            0x00412bf9
                                                            0x00000000
                                                            0x00412bf9
                                                            0x00412bb4
                                                            0x00412b65
                                                            0x00412b68
                                                            0x00000000
                                                            0x00412b68
                                                            0x00412b18
                                                            0x00412b1b
                                                            0x00000000
                                                            0x00000000
                                                            0x00412b24
                                                            0x00412b27
                                                            0x00412b29
                                                            0x00000000
                                                            0x00412b29
                                                            0x00412b0a
                                                            0x00412ad3
                                                            0x00000000
                                                            0x00412ad3
                                                            0x00412a76
                                                            0x00412a79
                                                            0x004129fa
                                                            0x004129fa
                                                            0x004129fd
                                                            0x00412a03
                                                            0x00000000
                                                            0x00412a03
                                                            0x00412a6a
                                                            0x00000000
                                                            0x00412a6a
                                                            0x00412a4c
                                                            0x00412a4f
                                                            0x00412a54
                                                            0x00412a57
                                                            0x00412a5d
                                                            0x00000000
                                                            0x00412a5d
                                                            0x004129c7
                                                            0x004129c7
                                                            0x004129c9
                                                            0x004129cc
                                                            0x004129d2
                                                            0x00000000
                                                            0x004129d4
                                                            0x0041298e
                                                            0x0041298e
                                                            0x00412993
                                                            0x00412998
                                                            0x00412998

                                                            APIs
                                                              • Part of subcall function 00411CBC: EnterCriticalSection.KERNEL32(?), ref: 00411CC5
                                                              • Part of subcall function 00411CBC: LeaveCriticalSection.KERNEL32(?), ref: 00411CCF
                                                            • ~_Task_impl.LIBCPMT ref: 00412B68
                                                            • ~_Task_impl.LIBCPMT ref: 00412BF1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSectionTask_impl$EnterLeave
                                                            • String ID: X~H
                                                            • API String ID: 780354280-1414872000
                                                            • Opcode ID: 5db38160026231b1d05107a20a45b2055f218631d3f834470e5cee2c662f684f
                                                            • Instruction ID: f3c787646c1c79f05cba076eed6d765f51bab2c113c252654ac499985378fac1
                                                            • Opcode Fuzzy Hash: 5db38160026231b1d05107a20a45b2055f218631d3f834470e5cee2c662f684f
                                                            • Instruction Fuzzy Hash: 4AD18C71100248DFCF24EF65CA909EE37B5BF08304B10452EF956972A2EB79ED95DB48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040BD49, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 288COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E0040BD49(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t136;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t162;
				void* _t166;
				void* _t177;
				char* _t182;
				signed int _t192;
				signed int _t197;
				intOrPtr _t199;
				void* _t204;
				void* _t208;
				intOrPtr _t228;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t252;
				void* _t253;

				_t245 = __edx;
				_push(0x5c);
				E00416B21(E00421A44, __ebx, __edi, __esi);
				_t208 = __ecx;
				E00402B01(__ecx);
				_t247 = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((short*)( *((intOrPtr*)(__ecx + 0x30)))) = 0;
				E0040908D(0, __esi, _t253 - 0x20, __ecx + 4);
				 *((intOrPtr*)(_t253 - 4)) = 0;
				E0040320A(_t253 - 0x2c);
				 *((char*)(_t253 - 4)) = 1;
				if(E004099B4(_t253 - 0x20, 0x2e) >= 0) {
					_t204 = E00408826(_t253 - 0x20, _t253 - 0x44, _t135 + 1);
					 *((char*)(_t253 - 4)) = 2;
					E00408639(_t253 - 0x2c, _t253, _t204);
					_push( *((intOrPtr*)(_t253 - 0x44)));
					L00408BFB(_t208, 0, __esi, _t135 + 1);
				}
				 *(_t253 - 0x64) = _t247;
				 *(_t253 - 0x60) = _t247;
				 *(_t253 - 0x5c) = _t247;
				 *((intOrPtr*)(_t253 - 0x58)) = 4;
				 *((intOrPtr*)(_t253 - 0x68)) = 0x42350c;
				 *((char*)(_t253 - 4)) = 3;
				if( *(_t253 + 0xc) < _t247) {
					_t136 =  *((intOrPtr*)(_t253 + 8));
					_t249 = 0;
					__eflags =  *((intOrPtr*)(_t136 + 0x10)) - _t247;
					 *(_t253 + 0xc) = _t247;
					if( *((intOrPtr*)(_t136 + 0x10)) <= _t247) {
						L9:
						__eflags =  *((intOrPtr*)(_t253 + 0x10)) - _t247;
						if( *((intOrPtr*)(_t253 + 0x10)) != _t247) {
							goto L14;
						}
						__eflags =  *(_t253 + 0xc) - 1;
						if( *(_t253 + 0xc) == 1) {
							E00408A4D(_t253 - 0x68, 1);
							goto L14;
						}
						goto L11;
					} else {
						goto L5;
					}
					do {
						L5:
						_t197 = E0040B987( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t253 + 8)) + 0x14)) + _t249 * 4)), _t253 - 0x2c);
						_push(_t249);
						_t240 = _t253 - 0x68;
						__eflags = _t197;
						if(_t197 < 0) {
							E0040105E(_t240);
						} else {
							E0040B786(_t240,  *(_t253 + 0xc));
							 *(_t253 + 0xc) =  *(_t253 + 0xc) + 1;
						}
						_t199 =  *((intOrPtr*)(_t253 + 8));
						_t249 = _t249 + 1;
						__eflags = _t249 -  *((intOrPtr*)(_t199 + 0x10));
					} while (_t249 <  *((intOrPtr*)(_t199 + 0x10)));
					goto L9;
				} else {
					E0040105E(_t253 - 0x68,  *(_t253 + 0xc));
					L14:
					 *(_t253 + 0xc) = _t247;
					if( *(_t253 - 0x60) <= _t247) {
						L28:
						_t251 = 1;
						L12:
						 *((char*)(_t253 - 4)) = 1;
						E00408BC5(_t253 - 0x68);
						_push( *((intOrPtr*)(_t253 - 0x2c)));
						L00408BFB(_t208, _t247, _t251, _t265);
						_push( *((intOrPtr*)(_t253 - 0x20)));
						L00408BFB(_t208, _t247, _t251, _t265);
						return E00416BF9(_t251);
					} else {
						goto L15;
					}
					do {
						L15:
						_t142 =  *((intOrPtr*)(_t253 + 0x10));
						if(_t142 == _t247) {
							L17:
							 *(_t253 - 0x14) = _t247;
							 *((char*)(_t253 - 4)) = 4;
							 *(_t208 + 0x1c) =  *( *(_t253 - 0x5c) +  *(_t253 + 0xc) * 4);
							_t145 = E0040B9BB( *((intOrPtr*)(_t253 + 8)),  *( *(_t253 - 0x5c) +  *(_t253 + 0xc) * 4), _t253 - 0x14);
							_t251 = _t145;
							if(_t145 != _t247) {
								_t146 =  *(_t253 - 0x14);
								 *((char*)(_t253 - 4)) = 3;
								__eflags = _t146 - _t247;
								if(_t146 != _t247) {
									 *((intOrPtr*)( *_t146 + 8))(_t146);
								}
								goto L12;
							}
							_t252 =  *(_t253 - 0x14);
							if(_t252 != _t247) {
								__eflags =  *((intOrPtr*)(_t253 + 0x10)) - _t247;
								if( *((intOrPtr*)(_t253 + 0x10)) == _t247) {
									 *(_t253 - 0x10) = _t247;
									 *((char*)(_t253 - 4)) = 5;
									 *((intOrPtr*)( *_t252))(_t252, 0x424134, _t253 - 0x10);
									_t150 =  *(_t253 - 0x10);
									__eflags = _t150 - _t247;
									if(_t150 == _t247) {
										 *((char*)(_t253 - 4)) = 3;
										 *((intOrPtr*)( *_t252 + 8))(_t252);
										L11:
										_t251 = 0x80004001;
										goto L12;
									}
									_t247 =  *((intOrPtr*)( *_t150 + 0xc))(_t150,  *((intOrPtr*)(_t253 + 0x14)));
									_t154 =  *(_t253 - 0x10);
									 *((char*)(_t253 - 4)) = 4;
									__eflags = _t154;
									if(_t154 != 0) {
										 *((intOrPtr*)( *_t154 + 8))(_t154);
									}
									L25:
									__eflags = _t247 - 1;
									if(_t247 != 1) {
										__eflags = _t247;
										if(_t247 == 0) {
											 *((short*)(_t253 - 0x54)) = 0;
											 *((short*)(_t253 - 0x52)) = 0;
											 *((char*)(_t253 - 4)) = 6;
											 *((intOrPtr*)( *_t252 + 0x20))(_t252, 0x37, _t253 - 0x54);
											__eflags =  *((short*)(_t253 - 0x54));
											if( *((short*)(_t253 - 0x54)) != 0) {
												__eflags =  *((short*)(_t253 - 0x54)) - 8;
												_t182 =  *(_t253 - 0x4c);
												if( *((short*)(_t253 - 0x54)) != 8) {
													_t182 = L"Unknown error";
												}
												E004090CA(_t208 + 0x30, _t253, _t182);
											}
											 *((char*)(_t253 - 4)) = 4;
											E00409A4A(_t253 - 0x54);
											E00406200(_t208, _t252);
											_t247 =  *( *((intOrPtr*)( *((intOrPtr*)(_t253 + 8)) + 0x14)) +  *(_t208 + 0x1c) * 4);
											__eflags =  *(_t247 + 0x20);
											if( *(_t247 + 0x20) != 0) {
												_t162 = E0040B987(_t247, _t253 - 0x2c);
												__eflags = _t162;
												if(__eflags < 0) {
													_t162 = 0;
													__eflags = 0;
												}
												_t228 =  *((intOrPtr*)(_t247 + 0x24));
												_t119 =  *((intOrPtr*)(_t228 + _t162 * 4)) + 0xc; // 0xc
												_push( *((intOrPtr*)(_t228 + _t162 * 4)));
												_push(_t253 - 0x20);
												_push(_t253 - 0x50);
												_t166 = E0040B72F(_t245, _t252, __eflags);
												 *((char*)(_t253 - 4)) = 0xa;
												E00408639(_t208 + 0x10, _t253, _t166);
												_push( *((intOrPtr*)(_t253 - 0x50)));
												L00408BFB(_t208, _t247, _t252, __eflags);
											} else {
												_t247 = 0x423a68;
												E00401647(_t253 - 0x44, _t253, 0x423a68);
												 *((char*)(_t253 - 4)) = 7;
												E00401647(_t253 - 0x38, _t253, 0x423a68);
												_push(_t253 - 0x44);
												_push(_t253 - 0x38);
												_push(_t253 - 0x20);
												_push(_t253 - 0x50);
												 *((char*)(_t253 - 4)) = 8;
												_t177 = E0040B72F(_t245, _t252, __eflags);
												 *((char*)(_t253 - 4)) = 9;
												E00408639(_t208 + 0x10, _t253, _t177);
												_push( *((intOrPtr*)(_t253 - 0x50)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
												_push( *((intOrPtr*)(_t253 - 0x38)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
												_push( *((intOrPtr*)(_t253 - 0x44)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
											}
											 *((char*)(_t253 - 4)) = 3;
											 *((intOrPtr*)( *_t252 + 8))(_t252);
											_t251 = 0;
										} else {
											 *((char*)(_t253 - 4)) = 3;
											 *((intOrPtr*)( *_t252 + 8))(_t252);
											_t251 = _t247;
										}
										goto L12;
									}
									 *((char*)(_t253 - 4)) = 3;
									 *((intOrPtr*)( *_t252 + 8))(_t252);
									_t247 = 0;
									__eflags = 0;
									goto L27;
								}
								_t247 =  *((intOrPtr*)( *_t252 + 0xc))(_t252,  *((intOrPtr*)(_t253 + 0x10)), 0x4239b0,  *((intOrPtr*)(_t253 + 0x18)));
								goto L25;
							}
							 *((char*)(_t253 - 4)) = 3;
							goto L27;
						}
						_t192 =  *((intOrPtr*)( *_t142 + 0x10))(_t142, _t247, _t247, _t247, _t247);
						if(_t192 != _t247) {
							_t251 = _t192;
							goto L12;
						}
						goto L17;
						L27:
						 *(_t253 + 0xc) =  *(_t253 + 0xc) + 1;
						_t265 =  *(_t253 + 0xc) -  *(_t253 - 0x60);
					} while ( *(_t253 + 0xc) <  *(_t253 - 0x60));
					goto L28;
				}
			}
























                                                            0x0040bd49
                                                            0x0040bd49
                                                            0x0040bd50
                                                            0x0040bd55
                                                            0x0040bd57
                                                            0x0040bd5f
                                                            0x0040bd63
                                                            0x0040bd66
                                                            0x0040bd71
                                                            0x0040bd79
                                                            0x0040bd7c
                                                            0x0040bd86
                                                            0x0040bd91
                                                            0x0040bd9c
                                                            0x0040bda5
                                                            0x0040bda9
                                                            0x0040bdae
                                                            0x0040bdb1
                                                            0x0040bdb6
                                                            0x0040bdb7
                                                            0x0040bdba
                                                            0x0040bdbd
                                                            0x0040bdc0
                                                            0x0040bdc7
                                                            0x0040bdd1
                                                            0x0040bdd5
                                                            0x0040bde7
                                                            0x0040bdea
                                                            0x0040bdec
                                                            0x0040bdef
                                                            0x0040bdf2
                                                            0x0040be29
                                                            0x0040be29
                                                            0x0040be2c
                                                            0x00000000
                                                            0x00000000
                                                            0x0040be2e
                                                            0x0040be32
                                                            0x0040be66
                                                            0x00000000
                                                            0x0040be66
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040bdf4
                                                            0x0040bdf4
                                                            0x0040be01
                                                            0x0040be06
                                                            0x0040be07
                                                            0x0040be0a
                                                            0x0040be0c
                                                            0x0040be1b
                                                            0x0040be0e
                                                            0x0040be11
                                                            0x0040be16
                                                            0x0040be16
                                                            0x0040be20
                                                            0x0040be23
                                                            0x0040be24
                                                            0x0040be24
                                                            0x00000000
                                                            0x0040bdd7
                                                            0x0040bddd
                                                            0x0040be6b
                                                            0x0040be6e
                                                            0x0040be71
                                                            0x0040bf39
                                                            0x0040bf3b
                                                            0x0040be39
                                                            0x0040be3c
                                                            0x0040be40
                                                            0x0040be45
                                                            0x0040be48
                                                            0x0040be4d
                                                            0x0040be50
                                                            0x0040be5e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040be77
                                                            0x0040be77
                                                            0x0040be77
                                                            0x0040be7c
                                                            0x0040be90
                                                            0x0040be90
                                                            0x0040bea4
                                                            0x0040bea8
                                                            0x0040beab
                                                            0x0040beb0
                                                            0x0040beb4
                                                            0x0040bf48
                                                            0x0040bf4b
                                                            0x0040bf4f
                                                            0x0040bf51
                                                            0x0040bf5a
                                                            0x0040bf5a
                                                            0x00000000
                                                            0x0040bf51
                                                            0x0040beba
                                                            0x0040bebf
                                                            0x0040bec7
                                                            0x0040beca
                                                            0x0040bee1
                                                            0x0040bef0
                                                            0x0040bef4
                                                            0x0040bef6
                                                            0x0040bef9
                                                            0x0040befb
                                                            0x0040bf65
                                                            0x0040bf69
                                                            0x0040be34
                                                            0x0040be34
                                                            0x00000000
                                                            0x0040be34
                                                            0x0040bf06
                                                            0x0040bf08
                                                            0x0040bf0b
                                                            0x0040bf0f
                                                            0x0040bf11
                                                            0x0040bf16
                                                            0x0040bf16
                                                            0x0040bf19
                                                            0x0040bf19
                                                            0x0040bf1c
                                                            0x0040bf71
                                                            0x0040bf73
                                                            0x0040bf88
                                                            0x0040bf8c
                                                            0x0040bf99
                                                            0x0040bf9d
                                                            0x0040bfa0
                                                            0x0040bfa5
                                                            0x0040bfa7
                                                            0x0040bfac
                                                            0x0040bfaf
                                                            0x0040bfb1
                                                            0x0040bfb1
                                                            0x0040bfba
                                                            0x0040bfba
                                                            0x0040bfc2
                                                            0x0040bfc6
                                                            0x0040bfce
                                                            0x0040bfdc
                                                            0x0040bfdf
                                                            0x0040bfe3
                                                            0x0040c049
                                                            0x0040c04e
                                                            0x0040c050
                                                            0x0040c052
                                                            0x0040c052
                                                            0x0040c052
                                                            0x0040c054
                                                            0x0040c05a
                                                            0x0040c05e
                                                            0x0040c062
                                                            0x0040c066
                                                            0x0040c067
                                                            0x0040c070
                                                            0x0040c074
                                                            0x0040c079
                                                            0x0040c07c
                                                            0x0040bfe5
                                                            0x0040bfe5
                                                            0x0040bfee
                                                            0x0040bff7
                                                            0x0040bffb
                                                            0x0040c003
                                                            0x0040c007
                                                            0x0040c00b
                                                            0x0040c00f
                                                            0x0040c010
                                                            0x0040c014
                                                            0x0040c01d
                                                            0x0040c021
                                                            0x0040c026
                                                            0x0040c029
                                                            0x0040c02e
                                                            0x0040c031
                                                            0x0040c036
                                                            0x0040c039
                                                            0x0040c03e
                                                            0x0040c085
                                                            0x0040c089
                                                            0x0040c08c
                                                            0x0040bf75
                                                            0x0040bf78
                                                            0x0040bf7c
                                                            0x0040bf7f
                                                            0x0040bf7f
                                                            0x00000000
                                                            0x0040bf73
                                                            0x0040bf21
                                                            0x0040bf25
                                                            0x0040bf28
                                                            0x0040bf28
                                                            0x00000000
                                                            0x0040bf28
                                                            0x0040bedd
                                                            0x00000000
                                                            0x0040bedd
                                                            0x0040bec1
                                                            0x00000000
                                                            0x0040bec1
                                                            0x0040be85
                                                            0x0040be8a
                                                            0x0040bf41
                                                            0x00000000
                                                            0x0040bf41
                                                            0x00000000
                                                            0x0040bf2a
                                                            0x0040bf2a
                                                            0x0040bf30
                                                            0x0040bf30
                                                            0x00000000
                                                            0x0040be77

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: Unknown error$h:B
                                                            • API String ID: 431132790-2896083918
                                                            • Opcode ID: abccca4332b3002c4f91c4449bdd3b9f37efbcd25ee3691752ef5f84edf4cfa5
                                                            • Instruction ID: 229dc10dfcce490ce841081ad363faeb39fea5f37d816de3d49a9016c6dfb729
                                                            • Opcode Fuzzy Hash: abccca4332b3002c4f91c4449bdd3b9f37efbcd25ee3691752ef5f84edf4cfa5
                                                            • Instruction Fuzzy Hash: 30B16070900248DFCB01DF95C9849DEBBB8EF59304F14446FF845BB292DB789A45CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404515, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E00404515(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				intOrPtr _t56;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t73;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t89;
				void* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t96;
				intOrPtr _t99;
				void* _t102;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;

				_t109 = __eflags;
				_push(0x24);
				E00416B21(E004210A6, __ebx, __edi, __esi);
				_t102 = __ecx;
				_t98 = __ecx + 0x28;
				_t52 = E0040B06F(_t109,  *((intOrPtr*)(_t106 + 8)), __ecx + 0x28, 0x20); // executed
				if(_t52 == 0) {
					if(E00403DB0(_t98) == 0) {
						 *((intOrPtr*)(_t106 - 0x30)) = 0x423364;
						 *((intOrPtr*)(_t106 - 0x2c)) = 0;
						 *((intOrPtr*)(_t106 - 0x28)) = 0;
						_t6 = _t106 - 0x30; // 0x423364
						 *((intOrPtr*)(_t106 - 4)) = 0;
						E0040140A(_t6, _t106, 0x10000);
						_t56 = 0x20;
						_t99 =  *((intOrPtr*)(_t106 - 0x28));
						 *((intOrPtr*)(_t106 - 0x10)) = _t56;
						E00416FC0(0, _t99, _t102, _t99, _t98, _t56);
						_t83 =  *((intOrPtr*)(_t102 + 0x20));
						 *((intOrPtr*)(_t106 - 0x20)) =  *((intOrPtr*)(_t102 + 0x24));
						while(1) {
							L4:
							_t93 =  *((intOrPtr*)(_t106 + 0xc));
							_t107 = _t107 + 0xc;
							__eflags = _t93;
							if(_t93 == 0) {
								goto L8;
							}
							_t91 = _t83 -  *((intOrPtr*)(_t102 + 0x20));
							asm("sbb eax, [esi+0x24]");
							__eflags =  *((intOrPtr*)(_t106 - 0x20)) -  *((intOrPtr*)(_t93 + 4));
							if(__eflags > 0) {
								L22:
								_push(_t99);
								L00408BFB(_t83, _t99, _t102, __eflags);
								_t52 = 1;
							} else {
								if(__eflags < 0) {
									goto L8;
								} else {
									__eflags = _t91 -  *_t93;
									if(__eflags > 0) {
										goto L22;
									} else {
										while(1) {
											L8:
											_t61 =  *((intOrPtr*)(_t106 - 0x10));
											_t63 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t106 + 8)))) + 0xc))( *((intOrPtr*)(_t106 + 8)), _t61 + _t99, 0x10000 - _t61, _t106 - 0x1c);
											__eflags = _t63;
											if(__eflags != 0) {
												break;
											}
											_t65 =  *((intOrPtr*)(_t106 - 0x1c));
											 *((intOrPtr*)(_t106 - 0x10)) =  *((intOrPtr*)(_t106 - 0x10)) + _t65;
											__eflags = _t65;
											if(__eflags == 0) {
												_t103 = 1;
												L24:
												_push(_t99);
												goto L27;
											} else {
												__eflags =  *((intOrPtr*)(_t106 - 0x10)) - 0x20;
												if( *((intOrPtr*)(_t106 - 0x10)) <= 0x20) {
													continue;
												} else {
													_t67 =  *((intOrPtr*)(_t106 - 0x10)) + 0xffffffe0;
													_t89 = 0;
													 *((intOrPtr*)(_t106 - 0x18)) = _t67;
													 *((intOrPtr*)(_t106 - 0x14)) = 0;
													__eflags = _t67;
													if(_t67 <= 0) {
														L21:
														_t83 = _t83 + _t67;
														asm("adc dword [ebp-0x20], 0x0");
														 *((intOrPtr*)(_t106 - 0x10)) =  *((intOrPtr*)(_t106 - 0x10)) - _t67;
														E00416C30(_t83, _t99, _t102, _t99, _t67 + _t99,  *((intOrPtr*)(_t106 - 0x10)));
														goto L4;
													} else {
														while(1) {
															__eflags =  *((char*)(_t99 + _t89)) - 0x37;
															if( *((char*)(_t99 + _t89)) == 0x37) {
															}
															L17:
															__eflags = _t89 - _t67;
															L18:
															if(__eflags == 0) {
																goto L21;
															} else {
																_t73 = E00403DB0(_t99 + _t89);
																__eflags = _t73;
																if(_t73 != 0) {
																	_t99 =  *((intOrPtr*)(_t106 - 0x14));
																	E00416FC0(_t83, _t99, _t102, _t102 + 0x28,  *((intOrPtr*)(_t106 - 0x28)) + _t99, 0x20);
																	_t78 =  *((intOrPtr*)(_t106 - 0x20));
																	_t92 =  *((intOrPtr*)(_t106 + 8));
																	_t96 = 0;
																	_t84 = _t83 + _t99;
																	asm("adc eax, edx");
																	 *((intOrPtr*)(_t102 + 0x20)) = _t84;
																	_t83 = _t84 + 0x20;
																	__eflags = _t83;
																	 *((intOrPtr*)(_t102 + 0x24)) = _t78;
																	asm("adc eax, edx");
																	_t79 =  *((intOrPtr*)( *_t92 + 0x10))(_t92, _t83, _t78, _t96, _t96);
																	_push( *((intOrPtr*)(_t106 - 0x28)));
																	_t103 = _t79;
																	L27:
																	L00408BFB(_t83, _t99, _t103, __eflags);
																	_t52 = _t103;
																} else {
																	 *((intOrPtr*)(_t106 - 0x14)) =  *((intOrPtr*)(_t106 - 0x14)) + 1;
																	__eflags =  *((intOrPtr*)(_t106 - 0x14)) -  *((intOrPtr*)(_t106 - 0x18));
																	_t99 =  *((intOrPtr*)(_t106 - 0x28));
																	_t67 =  *((intOrPtr*)(_t106 - 0x18));
																	if( *((intOrPtr*)(_t106 - 0x14)) <  *((intOrPtr*)(_t106 - 0x18))) {
																		_t89 =  *((intOrPtr*)(_t106 - 0x14));
																		while(1) {
																			__eflags =  *((char*)(_t99 + _t89)) - 0x37;
																			if( *((char*)(_t99 + _t89)) == 0x37) {
																			}
																			goto L14;
																		}
																		goto L17;
																	} else {
																		goto L21;
																	}
																}
															}
															goto L28;
															L14:
															__eflags = _t89 - _t67;
															if(__eflags < 0) {
																_t89 = _t89 + 1;
																__eflags = _t89;
																 *((intOrPtr*)(_t106 - 0x14)) = _t89;
																continue;
															}
															goto L18;
														}
													}
												}
											}
											goto L28;
										}
										_t103 = _t63;
										goto L24;
									}
								}
							}
							L28:
							goto L29;
						}
					} else {
						_t52 = 0;
					}
				}
				L29:
				return E00416BF9(_t52);
			}

























                                                            0x00404515
                                                            0x00404515
                                                            0x0040451c
                                                            0x00404521
                                                            0x00404525
                                                            0x0040452c
                                                            0x00404535
                                                            0x00404542
                                                            0x0040454b
                                                            0x00404552
                                                            0x00404555
                                                            0x0040455d
                                                            0x00404560
                                                            0x00404563
                                                            0x0040456a
                                                            0x0040456d
                                                            0x00404571
                                                            0x00404574
                                                            0x0040457c
                                                            0x0040457f
                                                            0x00404582
                                                            0x00404582
                                                            0x00404582
                                                            0x00404585
                                                            0x00404588
                                                            0x0040458a
                                                            0x00000000
                                                            0x00000000
                                                            0x00404591
                                                            0x00404594
                                                            0x00404597
                                                            0x0040459a
                                                            0x0040463c
                                                            0x0040463c
                                                            0x0040463d
                                                            0x00404644
                                                            0x004045a0
                                                            0x004045a0
                                                            0x00000000
                                                            0x004045a2
                                                            0x004045a2
                                                            0x004045a4
                                                            0x00000000
                                                            0x004045aa
                                                            0x004045aa
                                                            0x004045aa
                                                            0x004045b3
                                                            0x004045c4
                                                            0x004045c7
                                                            0x004045c9
                                                            0x00000000
                                                            0x00000000
                                                            0x004045cb
                                                            0x004045ce
                                                            0x004045d1
                                                            0x004045d3
                                                            0x0040464e
                                                            0x00404649
                                                            0x00404649
                                                            0x00000000
                                                            0x004045d5
                                                            0x004045d5
                                                            0x004045d9
                                                            0x00000000
                                                            0x004045db
                                                            0x004045de
                                                            0x004045e1
                                                            0x004045e3
                                                            0x004045e6
                                                            0x004045e9
                                                            0x004045eb
                                                            0x00404622
                                                            0x00404622
                                                            0x00404624
                                                            0x00404628
                                                            0x00404632
                                                            0x00000000
                                                            0x004045ed
                                                            0x004045fc
                                                            0x004045fc
                                                            0x00404600
                                                            0x00404600
                                                            0x00404602
                                                            0x00404602
                                                            0x00404604
                                                            0x00404604
                                                            0x00000000
                                                            0x00404606
                                                            0x00404608
                                                            0x0040460d
                                                            0x0040460f
                                                            0x00404651
                                                            0x00404660
                                                            0x00404665
                                                            0x00404668
                                                            0x00404670
                                                            0x00404671
                                                            0x00404673
                                                            0x00404676
                                                            0x00404679
                                                            0x00404679
                                                            0x0040467c
                                                            0x00404682
                                                            0x00404687
                                                            0x0040468a
                                                            0x0040468d
                                                            0x0040468f
                                                            0x0040468f
                                                            0x00404694
                                                            0x00404611
                                                            0x00404611
                                                            0x00404617
                                                            0x0040461a
                                                            0x0040461d
                                                            0x00404620
                                                            0x004045ef
                                                            0x004045fc
                                                            0x004045fc
                                                            0x00404600
                                                            0x00404600
                                                            0x00000000
                                                            0x00404600
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00404620
                                                            0x0040460f
                                                            0x00000000
                                                            0x004045f4
                                                            0x004045f4
                                                            0x004045f6
                                                            0x004045f8
                                                            0x004045f8
                                                            0x004045f9
                                                            0x00000000
                                                            0x004045f9
                                                            0x00000000
                                                            0x004045f6
                                                            0x004045fc
                                                            0x004045eb
                                                            0x004045d9
                                                            0x00000000
                                                            0x004045d3
                                                            0x00404647
                                                            0x00000000
                                                            0x00404647
                                                            0x004045a4
                                                            0x004045a0
                                                            0x00404696
                                                            0x00000000
                                                            0x00404696
                                                            0x00404544
                                                            0x00404544
                                                            0x00404544
                                                            0x00404542
                                                            0x00404697
                                                            0x0040469c

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: $d3B
                                                            • API String ID: 431132790-198493696
                                                            • Opcode ID: 36909c94d1b2a368238d16634e6de224bbbadee6273f221c0c5262812a54e26a
                                                            • Instruction ID: 3a515e4a4a240cacc8c10b0b89ac85215a11ea039d74a327c6dee710e8acc370
                                                            • Opcode Fuzzy Hash: 36909c94d1b2a368238d16634e6de224bbbadee6273f221c0c5262812a54e26a
                                                            • Instruction Fuzzy Hash: 3D5170B1A00205ABCB10DFA5CC80AAFB7B5BF85314F14492EEA01B7681D77DE941CB68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409899, Relevance: 4.5, APIs: 3, Instructions: 46fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00409899(void* __ebx, void** __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t22;
				void* _t26;
				void** _t35;
				void* _t37;
				void* _t38;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t35 = __ecx;
				if(E00409469(__ecx) != 0) {
					_t37 = CreateFileW;
					_t22 = CreateFileW( *(_t38 + 8),  *(_t38 + 0xc),  *(_t38 + 0x10), 0,  *(_t38 + 0x14),  *(_t38 + 0x18), 0); // executed
					 *_t35 = _t22;
					_t41 = _t22 - 0xffffffff;
					if(_t22 == 0xffffffff) {
						E0040320A(_t38 - 0x18);
						 *((intOrPtr*)(_t38 - 4)) = 0;
						_t26 = E00409876(_t41,  *(_t38 + 8), _t38 - 0x18);
						_t42 = _t26;
						if(_t26 != 0) {
							 *_t35 = CreateFileW( *(_t38 - 0x18),  *(_t38 + 0xc),  *(_t38 + 0x10), 0,  *(_t38 + 0x14),  *(_t38 + 0x18), 0);
						}
						_push( *(_t38 - 0x18));
						L00408BFB(0, _t35, _t37, _t42);
					}
					_t20 = 0 |  *_t35 != 0xffffffff;
				}
				return E00416BF9(_t20);
			}








                                                            0x00409899
                                                            0x004098a0
                                                            0x004098a5
                                                            0x004098ae
                                                            0x004098b0
                                                            0x004098c9
                                                            0x004098cb
                                                            0x004098cd
                                                            0x004098d0
                                                            0x004098d5
                                                            0x004098e1
                                                            0x004098e4
                                                            0x004098e9
                                                            0x004098eb
                                                            0x00409900
                                                            0x00409900
                                                            0x00409902
                                                            0x00409905
                                                            0x0040990a
                                                            0x00409910
                                                            0x00409910
                                                            0x00409918

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 004098A0
                                                              • Part of subcall function 00409469: FindCloseChangeNotification.KERNELBASE ref: 00409474
                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,0000000C), ref: 004098C9
                                                            • CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000,?,?), ref: 004098FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateFile$ChangeCloseFindH_prolog3Notification
                                                            • String ID:
                                                            • API String ID: 497171381-0
                                                            • Opcode ID: 2e27a2388b066e432df6d7a938a5b8c5348d8dcfff54f88ac972f1d3587ffd35
                                                            • Instruction ID: 592200983aca7f03df924794e6f5b352c9d03a6f4c54ac32436f896c8fb0c43e
                                                            • Opcode Fuzzy Hash: 2e27a2388b066e432df6d7a938a5b8c5348d8dcfff54f88ac972f1d3587ffd35
                                                            • Instruction Fuzzy Hash: 8701007240010EAFDF01AFA1CC428EE7F76EF18364F50452ABA60661E2C735DD62EB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410BBB, Relevance: 4.5, APIs: 3, Instructions: 38fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E00410BBB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t14;
				signed int _t15;
				int _t17;
				int _t20;
				int _t22;
				signed int _t23;
				int _t31;
				void* _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t14 = E00410A7A(__ebx, __edi, __esi, _t33,  *(_t32 + 8), 0); // executed
				if(_t14 == 0) {
					L6:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t17 = DeleteFileW( *(_t32 + 8)); // executed
					if(_t17 == 0) {
						E0040320A(_t32 - 0x18);
						 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
						_t20 = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
						_push( *((intOrPtr*)(_t32 - 0x18)));
						__eflags = _t20;
						if(__eflags == 0) {
							L00408BFB(__ebx, __edi, DeleteFileW, __eflags);
							goto L6;
						} else {
							_t22 = DeleteFileW();
							_push( *((intOrPtr*)(_t32 - 0x18)));
							_t31 = _t22;
							_t23 = L00408BFB(__ebx, __edi, _t31, __eflags);
							__eflags = _t31;
							_t15 = _t23 & 0xffffff00 | _t31 != 0x00000000;
						}
					} else {
						_t15 = 1;
					}
				}
				return E00416BF9(_t15);
			}












                                                            0x00410bbb
                                                            0x00410bbb
                                                            0x00410bc2
                                                            0x00410bcc
                                                            0x00410bd3
                                                            0x00410c21
                                                            0x00410c21
                                                            0x00410c21
                                                            0x00410bd5
                                                            0x00410bde
                                                            0x00410be2
                                                            0x00410beb
                                                            0x00410bf0
                                                            0x00410bfb
                                                            0x00410c00
                                                            0x00410c03
                                                            0x00410c05
                                                            0x00410c1b
                                                            0x00000000
                                                            0x00410c07
                                                            0x00410c07
                                                            0x00410c09
                                                            0x00410c0c
                                                            0x00410c0e
                                                            0x00410c13
                                                            0x00410c16
                                                            0x00410c16
                                                            0x00410be4
                                                            0x00410be4
                                                            0x00410be4
                                                            0x00410be2
                                                            0x00410c28

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410BC2
                                                              • Part of subcall function 00410A7A: __EH_prolog3.LIBCMT ref: 00410A81
                                                              • Part of subcall function 00410A7A: SetFileAttributesW.KERNELBASE(?,?,0000000C), ref: 00410A92
                                                            • DeleteFileW.KERNELBASE(?,0000000C), ref: 00410BDE
                                                            • DeleteFileW.KERNEL32(?,?,?), ref: 00410C07
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: File$DeleteH_prolog3$Attributes
                                                            • String ID:
                                                            • API String ID: 1699852380-0
                                                            • Opcode ID: aa60388c990ca20335ff6b8a2c2d0d9a5d7906f33e0c0772e15b234dafe4a561
                                                            • Instruction ID: 82b29cb7c56b73e0ed4b09c3219c5ce96762dd4778a0f313884fd1d1f183af2a
                                                            • Opcode Fuzzy Hash: aa60388c990ca20335ff6b8a2c2d0d9a5d7906f33e0c0772e15b234dafe4a561
                                                            • Instruction Fuzzy Hash: 0BF0A431900115AACF14AFA1C802BED7F219F10354F01802BB90076192DB79D9C2AADC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410A7A, Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 81%
                                                            			E00410A7A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t16;
				signed int _t21;
				int _t23;
				signed int _t24;
				int _t31;
				void* _t32;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t16 = SetFileAttributesW( *(_t32 + 8),  *(_t32 + 0xc)); // executed
				if(_t16 == 0) {
					E0040320A(_t32 - 0x18);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					__eflags = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
					if(__eflags == 0) {
						_push( *(_t32 - 0x18));
						L00408BFB(__ebx, __edi, SetFileAttributesW, __eflags);
						_t21 = 0;
						__eflags = 0;
					} else {
						_t23 = SetFileAttributesW( *(_t32 - 0x18),  *(_t32 + 0xc));
						_push( *(_t32 - 0x18));
						_t31 = _t23;
						_t24 = L00408BFB(__ebx, __edi, _t31, __eflags);
						__eflags = _t31;
						_t21 = _t24 & 0xffffff00 | _t31 != 0x00000000;
					}
				} else {
					_t21 = 1;
				}
				return E00416BF9(_t21);
			}









                                                            0x00410a7a
                                                            0x00410a81
                                                            0x00410a92
                                                            0x00410a96
                                                            0x00410a9f
                                                            0x00410aa4
                                                            0x00410ab4
                                                            0x00410ab6
                                                            0x00410ad1
                                                            0x00410ad4
                                                            0x00410ad9
                                                            0x00410ad9
                                                            0x00410ab8
                                                            0x00410abe
                                                            0x00410ac0
                                                            0x00410ac3
                                                            0x00410ac5
                                                            0x00410aca
                                                            0x00410acc
                                                            0x00410acc
                                                            0x00410a98
                                                            0x00410a98
                                                            0x00410a98
                                                            0x00410ae1

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410A81
                                                            • SetFileAttributesW.KERNELBASE(?,?,0000000C), ref: 00410A92
                                                            • SetFileAttributesW.KERNEL32(?,?,?,?), ref: 00410ABE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$H_prolog3
                                                            • String ID:
                                                            • API String ID: 1525373243-0
                                                            • Opcode ID: 8d85c776ab4068c8f05fe61b7f3e61eb28d90dad28fb2599ea8dc5aeb20f5ffb
                                                            • Instruction ID: b68339446e7912557b5547a3532edc32d3c599c184010c8767136443e2a04074
                                                            • Opcode Fuzzy Hash: 8d85c776ab4068c8f05fe61b7f3e61eb28d90dad28fb2599ea8dc5aeb20f5ffb
                                                            • Instruction Fuzzy Hash: ADF09C31800219EACF00AFA1CC02AED7F31DF14354F01402BB900761A2CB79DDD2EB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040AA23, Relevance: 4.5, APIs: 3, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E0040AA23(intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t14;
				void* _t19;
				struct _CRITICAL_SECTION* _t23;
				intOrPtr* _t25;
				intOrPtr* _t26;
				void* _t28;

				_push(4);
				E00416B21(E00421F0F, _t19, __edi, __esi);
				_t25 = __ecx;
				_t23 = __ecx + 4;
				 *(_t28 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				_t14 =  *_t25;
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				_push(0);
				_push(0);
				_push( *((intOrPtr*)(_t28 + 0xc)));
				_push( *((intOrPtr*)(_t28 + 8)));
				_push(_t14); // executed
				if( *((intOrPtr*)( *_t14 + 0x10))() == 0) {
					_t26 =  *_t25;
					_t15 =  *((intOrPtr*)( *_t26 + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0x10)),  *((intOrPtr*)(_t28 + 0x14)),  *((intOrPtr*)(_t28 + 0x18)));
				}
				LeaveCriticalSection(_t23);
				return E00416BF9(_t15);
			}









                                                            0x0040aa23
                                                            0x0040aa2a
                                                            0x0040aa2f
                                                            0x0040aa31
                                                            0x0040aa35
                                                            0x0040aa38
                                                            0x0040aa3e
                                                            0x0040aa42
                                                            0x0040aa46
                                                            0x0040aa48
                                                            0x0040aa4a
                                                            0x0040aa4d
                                                            0x0040aa50
                                                            0x0040aa56
                                                            0x0040aa6e
                                                            0x0040aa79
                                                            0x0040aa79
                                                            0x0040aa5b
                                                            0x0040aa68

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040AA2A
                                                            • EnterCriticalSection.KERNEL32(00000000,00000004,0040AAA2,?,?,?,?,00000000), ref: 0040AA38
                                                            • LeaveCriticalSection.KERNEL32(00000000,?,?,?,?), ref: 0040AA5B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterH_prolog3Leave
                                                            • String ID:
                                                            • API String ID: 4250467438-0
                                                            • Opcode ID: 4dddb49c8288610b6a72de20f540e7b07757c19d66fa8ff38042e61517f2b0a0
                                                            • Instruction ID: 376e6d0b6539734c182ceb4bf0422f82a57e589c454eeaae9fc2f109862d71f0
                                                            • Opcode Fuzzy Hash: 4dddb49c8288610b6a72de20f540e7b07757c19d66fa8ff38042e61517f2b0a0
                                                            • Instruction Fuzzy Hash: DDF06235600214EBCB219FA0CC04B9A7BB5BF08711F15445AFA11AB2A0C779E951DF69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410AE4, Relevance: 4.5, APIs: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00410AE4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t13;
				int _t16;
				signed int _t18;
				int _t20;
				signed int _t21;
				int _t28;
				void* _t29;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t13 = RemoveDirectoryW( *(_t29 + 8)); // executed
				if(_t13 == 0) {
					E0040320A(_t29 - 0x18);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t16 = E00409876(__eflags,  *(_t29 + 8), _t29 - 0x18);
					_push( *((intOrPtr*)(_t29 - 0x18)));
					__eflags = _t16;
					if(__eflags == 0) {
						L00408BFB(__ebx, __edi, RemoveDirectoryW, __eflags);
						_t18 = 0;
						__eflags = 0;
					} else {
						_t20 = RemoveDirectoryW();
						_push( *((intOrPtr*)(_t29 - 0x18)));
						_t28 = _t20;
						_t21 = L00408BFB(__ebx, __edi, _t28, __eflags);
						__eflags = _t28;
						_t18 = _t21 & 0xffffff00 | _t28 != 0x00000000;
					}
				} else {
					_t18 = 1;
				}
				return E00416BF9(_t18);
			}










                                                            0x00410ae4
                                                            0x00410aeb
                                                            0x00410af9
                                                            0x00410afd
                                                            0x00410b06
                                                            0x00410b0b
                                                            0x00410b16
                                                            0x00410b1b
                                                            0x00410b1e
                                                            0x00410b20
                                                            0x00410b35
                                                            0x00410b3a
                                                            0x00410b3a
                                                            0x00410b22
                                                            0x00410b22
                                                            0x00410b24
                                                            0x00410b27
                                                            0x00410b29
                                                            0x00410b2e
                                                            0x00410b30
                                                            0x00410b30
                                                            0x00410aff
                                                            0x00410aff
                                                            0x00410aff
                                                            0x00410b42

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410AEB
                                                            • RemoveDirectoryW.KERNELBASE(?,0000000C), ref: 00410AF9
                                                            • RemoveDirectoryW.KERNEL32(?,?,?), ref: 00410B22
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: DirectoryRemove$H_prolog3
                                                            • String ID:
                                                            • API String ID: 3343300676-0
                                                            • Opcode ID: 65cf368d349eb4c92cd16b1e3ade35d5f6be28c4dc45d3fa00a9d84382bf9e58
                                                            • Instruction ID: 710b2b3079904f10a49b21f330e3983a60d9af1bfd423f351766240e205e25f6
                                                            • Opcode Fuzzy Hash: 65cf368d349eb4c92cd16b1e3ade35d5f6be28c4dc45d3fa00a9d84382bf9e58
                                                            • Instruction Fuzzy Hash: 60F0303180411996CF10ABE1C902AEE7F259F00358F15406BA9406A292CB79E9C6E6AD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040177A, Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E0040177A(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				intOrPtr _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t31 = __edi;
				_t23 = __ebx;
				_push(4);
				E00416B21(E00421471, __ebx, __edi, __esi);
				_t33 = __ecx;
				 *((intOrPtr*)(_t34 - 0x10)) = __ecx;
				 *(_t34 - 4) = 4;
				E00408BC5(__ecx + 0xb4);
				 *(_t34 - 4) = 3;
				E00408BC5(__ecx + 0xa0);
				 *(_t34 - 4) = 2;
				E004015E5(__ebx, __ecx + 0x8c, __edi, __ecx, _t35);
				 *(_t34 - 4) = 1;
				E00401489(_t23, _t33 + 0x78, _t31, _t33, _t35); // executed
				 *(_t34 - 4) = 0;
				E0040B173(_t33);
				_t11 = _t34 - 4;
				 *(_t34 - 4) =  *(_t34 - 4) | 0xffffffff;
				_t21 = E0040157A(_t23, _t33 + 0x14, _t31, _t33,  *_t11); // executed
				return E00416BF9(_t21);
			}







                                                            0x0040177a
                                                            0x0040177a
                                                            0x0040177a
                                                            0x0040177a
                                                            0x00401781
                                                            0x00401786
                                                            0x00401788
                                                            0x00401791
                                                            0x00401798
                                                            0x004017a3
                                                            0x004017a7
                                                            0x004017b2
                                                            0x004017b6
                                                            0x004017be
                                                            0x004017c2
                                                            0x004017c9
                                                            0x004017cd
                                                            0x004017d2
                                                            0x004017d2
                                                            0x004017d9
                                                            0x004017e3

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00401781
                                                            • ~_Task_impl.LIBCPMT ref: 004017B6
                                                              • Part of subcall function 004015E5: __EH_prolog3.LIBCMT ref: 004015EC
                                                            • ~_Task_impl.LIBCPMT ref: 004017C2
                                                              • Part of subcall function 00401489: __EH_prolog3.LIBCMT ref: 00401490
                                                              • Part of subcall function 0040157A: __EH_prolog3.LIBCMT ref: 00401581
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$Task_impl
                                                            • String ID:
                                                            • API String ID: 2843614703-0
                                                            • Opcode ID: 3dfa0d9badd74e310505ad803d96c188240e82b3241b6ae798c843971600a03f
                                                            • Instruction ID: 013af03912305f4c448b6a7ee667699893353aed5ea99b6c000518ccc271aa3d
                                                            • Opcode Fuzzy Hash: 3dfa0d9badd74e310505ad803d96c188240e82b3241b6ae798c843971600a03f
                                                            • Instruction Fuzzy Hash: E1F0F070404354CAD714FBA1C1027DCBBB06F20308F4041DEA4A6232D2DF782708C62A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040193F, Relevance: 4.5, APIs: 3, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E0040193F(intOrPtr __ecx, void* __esi, void* __eflags) {
				void* _t15;
				void* _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;

				_t24 = __eflags;
				_push(4);
				E00416B21(E00420CC8, _t15, _t20, __esi);
				_t22 = __ecx;
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				 *(_t23 - 4) = 1;
				E00401616(_t15, __ecx + 0x74, _t20, __ecx, _t24); // executed
				 *(_t23 - 4) = 0;
				E00401549(_t15, _t22 + 0x5c, _t20, _t22, _t24); // executed
				_t6 = _t23 - 4;
				 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
				return E00416BF9(E004011EE(_t15, _t22 + 0xc, _t20, _t22,  *_t6));
			}








                                                            0x0040193f
                                                            0x0040193f
                                                            0x00401946
                                                            0x0040194b
                                                            0x0040194d
                                                            0x00401953
                                                            0x0040195a
                                                            0x00401962
                                                            0x00401966
                                                            0x0040196b
                                                            0x0040196b
                                                            0x0040197c

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00401946
                                                            • ~_Task_impl.LIBCPMT ref: 0040195A
                                                              • Part of subcall function 00401616: __EH_prolog3.LIBCMT ref: 0040161D
                                                            • ~_Task_impl.LIBCPMT ref: 00401966
                                                              • Part of subcall function 00401549: __EH_prolog3.LIBCMT ref: 00401550
                                                              • Part of subcall function 004011EE: __EH_prolog3.LIBCMT ref: 004011F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$Task_impl
                                                            • String ID:
                                                            • API String ID: 2843614703-0
                                                            • Opcode ID: 5a36d9774e3f7b5f4d6334cd3bd70039b4e6d44ffea03344701cfbbcf185756c
                                                            • Instruction ID: 5cdb3cf3dca08719438845c65d893accad8844cd1feecf10675d4a7ad2801eba
                                                            • Opcode Fuzzy Hash: 5a36d9774e3f7b5f4d6334cd3bd70039b4e6d44ffea03344701cfbbcf185756c
                                                            • Instruction Fuzzy Hash: 1FE02670804610CBC708FBE5C80238DBBE0AF00318F40435EA512672E2CFB86708C608
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00413320, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E00413320(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t73;
				intOrPtr* _t82;
				intOrPtr _t83;
				void* _t85;
				void* _t89;
				intOrPtr* _t121;
				void* _t122;
				void* _t125;

				_t125 = __eflags;
				_t119 = __edi;
				_t117 = __edx;
				_push(0x58);
				E00416B21(E004220FF, __ebx, __edi, __esi);
				_t121 = __ecx;
				E0040320A(_t122 - 0x3c);
				_push( *((intOrPtr*)(__ecx + 4)));
				 *((intOrPtr*)(_t122 - 4)) = 0;
				_t62 = E00409371(0, _t122 - 0x64, __edx, __edi, __ecx, _t125); // executed
				_t126 = _t62;
				if(_t62 != 0) {
					_t63 =  *((intOrPtr*)(_t121 + 0x1c));
					__eflags = _t63;
					if(__eflags == 0) {
						_t64 = 0;
						__eflags = 0;
					} else {
						_t64 = _t63 + 4;
					}
					 *((intOrPtr*)(_t122 - 0x28)) = 0;
					 *((intOrPtr*)(_t122 - 0x24)) = 0;
					 *((intOrPtr*)(_t122 - 0x20)) = 0;
					 *((intOrPtr*)(_t122 - 0x1c)) = 4;
					 *((intOrPtr*)(_t122 - 0x2c)) = 0x42350c;
					_push(_t64);
					_push(_t121 + 4);
					_push(0);
					_push(0);
					_push(_t122 - 0x2c);
					_push( *_t121);
					_t119 = _t121 + 0x28;
					 *((char*)(_t122 - 4)) = 1;
					 *((intOrPtr*)(_t121 + 0x60)) = E0040C59C(0, _t119, _t117, _t119, _t121, __eflags);
					 *((char*)(_t122 - 4)) = 0;
					E00408BC5(_t122 - 0x2c);
					__eflags =  *((intOrPtr*)(_t121 + 0x60));
					if( *((intOrPtr*)(_t121 + 0x60)) == 0) {
						_t102 = _t122 - 0x18;
						E00404082(_t122 - 0x18, _t122, _t121 + 0x10);
						 *((char*)(_t122 - 4)) = 2;
						E004099DF(_t122 - 0x18);
						_push( *((intOrPtr*)(_t122 - 0x18)));
						_t73 = E00410F49(0, _t119, _t121, __eflags); // executed
						__eflags = _t73;
						if(__eflags != 0) {
							E00401647(_t122 - 0x24, _t122, L"Default");
							 *((char*)(_t122 - 4)) = 4;
							E00412551(0,  *((intOrPtr*)(_t121 + 0x1c)), _t119, _t121, __eflags);
							 *((char*)(_t122 - 4)) = 2;
							L00408BFB(0, _t119, _t121, __eflags);
							_t82 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0xc)) +  *(_t119 + 8) * 4 - 4))));
							_t83 =  *((intOrPtr*)( *_t82 + 0x1c))(_t82, 0, 0xffffffff, 0,  *((intOrPtr*)(_t121 + 0x20)),  *((intOrPtr*)(_t122 - 0x24)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0xc)) +  *(_t119 + 8) * 4 - 4)))), _t122 - 0x18, _t122 - 0x24, _t122 - 0x4c, 0);
							_push( *((intOrPtr*)(_t122 - 0x18)));
							 *((intOrPtr*)(_t121 + 0x60)) = _t83;
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x3c)));
							_t85 = L00408BFB(0, _t119, _t121, __eflags);
							goto L11;
						} else {
							_push(_t122 - 0x18);
							_push(9);
							_push(_t122 - 0x24);
							_t89 = E0040C997(0, _t102, _t119, _t121, __eflags);
							 *((char*)(_t122 - 4)) = 3;
							E00408639(_t121 + 0x64, _t122, _t89);
							_push( *((intOrPtr*)(_t122 - 0x24)));
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x18)));
							 *((intOrPtr*)(_t121 + 0x60)) = 0x80004005;
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x3c)));
							_t85 = L00408BFB(0, _t119, _t121, __eflags);
						}
					} else {
						E00408639(_t121 + 0x64, _t122, 0x430624);
						goto L2;
					}
				} else {
					E00408639(_t121 + 0x64, _t122, 0x430618);
					 *((intOrPtr*)(_t121 + 0x60)) = 0x80004005;
					L2:
					_push( *((intOrPtr*)(_t122 - 0x3c)));
					_t85 = L00408BFB(0, _t119, _t121, _t126);
					L11:
				}
				return E00416BF9(_t85);
			}














                                                            0x00413320
                                                            0x00413320
                                                            0x00413320
                                                            0x00413320
                                                            0x00413327
                                                            0x0041332c
                                                            0x00413331
                                                            0x00413336
                                                            0x0041333e
                                                            0x00413341
                                                            0x00413346
                                                            0x00413348
                                                            0x0041336b
                                                            0x0041336e
                                                            0x00413370
                                                            0x00413377
                                                            0x00413377
                                                            0x00413372
                                                            0x00413372
                                                            0x00413372
                                                            0x00413379
                                                            0x0041337c
                                                            0x0041337f
                                                            0x00413382
                                                            0x00413389
                                                            0x00413390
                                                            0x00413394
                                                            0x00413395
                                                            0x00413396
                                                            0x0041339a
                                                            0x0041339b
                                                            0x0041339d
                                                            0x004133a2
                                                            0x004133ae
                                                            0x004133b1
                                                            0x004133b4
                                                            0x004133b9
                                                            0x004133bc
                                                            0x004133d1
                                                            0x004133d4
                                                            0x004133dd
                                                            0x004133e1
                                                            0x004133e6
                                                            0x004133e9
                                                            0x004133ee
                                                            0x004133f0
                                                            0x0041343a
                                                            0x0041345c
                                                            0x00413460
                                                            0x00413468
                                                            0x0041346c
                                                            0x0041347f
                                                            0x00413489
                                                            0x0041348c
                                                            0x0041348f
                                                            0x00413492
                                                            0x00413497
                                                            0x0041349a
                                                            0x00000000
                                                            0x004133f2
                                                            0x004133f5
                                                            0x004133f6
                                                            0x004133fb
                                                            0x004133fc
                                                            0x00413405
                                                            0x00413409
                                                            0x0041340e
                                                            0x00413411
                                                            0x00413416
                                                            0x00413419
                                                            0x00413420
                                                            0x00413425
                                                            0x00413428
                                                            0x0041342d
                                                            0x004133be
                                                            0x004133c6
                                                            0x00000000
                                                            0x004133c6
                                                            0x0041334a
                                                            0x00413352
                                                            0x00413357
                                                            0x0041335e
                                                            0x0041335e
                                                            0x00413361
                                                            0x004134a0
                                                            0x004134a0
                                                            0x004134a6

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00413327
                                                              • Part of subcall function 00409371: __EH_prolog3.LIBCMT ref: 00409378
                                                              • Part of subcall function 00410F49: __EH_prolog3.LIBCMT ref: 00410F50
                                                              • Part of subcall function 0040C997: __EH_prolog3.LIBCMT ref: 0040C99E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: Default
                                                            • API String ID: 431132790-753088835
                                                            • Opcode ID: 9bb2fe5a139833588a7d3d06fd8f57c5a8a4d5c7409c239a80a1bd62f6c0b366
                                                            • Instruction ID: 637a408ca592e427b064d91d27cf8d613e21661ac3e18e47597f74a2cd651e88
                                                            • Opcode Fuzzy Hash: 9bb2fe5a139833588a7d3d06fd8f57c5a8a4d5c7409c239a80a1bd62f6c0b366
                                                            • Instruction Fuzzy Hash: F84162B1800208EFCB15DF95C9819DEBBB4BF08304F10456EF59673292DF79AA45DB18
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410F49, Relevance: 3.1, APIs: 2, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E00410F49(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t53;
				signed int _t56;
				long _t57;
				signed int _t59;
				intOrPtr* _t67;
				signed char _t68;
				signed int _t72;
				void* _t81;
				signed int _t89;
				signed int _t107;
				intOrPtr _t109;
				intOrPtr _t112;
				signed int _t114;
				void* _t116;

				_t86 = __ebx;
				_push(0x5c);
				E00416B21(E00421D1D, __ebx, __edi, __esi);
				E00401647(_t116 - 0x18, _t116,  *((intOrPtr*)(_t116 + 8)));
				 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
				_t53 = E004099B4(_t116 - 0x18, 0x5c);
				if(_t53 <= 0) {
					L6:
					E00404082(_t116 - 0x24, _t116, _t116 - 0x18);
					_t114 =  *(_t116 - 0x14);
					 *(_t116 - 4) = 1;
					while(1) {
						_t112 =  *((intOrPtr*)(_t116 - 0x18));
						_t56 = E00410B45(_t86, _t112, _t114, __eflags, _t112); // executed
						__eflags = _t56;
						if(_t56 != 0) {
							break;
						}
						_t57 = GetLastError();
						__eflags = _t57 - 0xb7;
						if(_t57 == 0xb7) {
							E0040320A(_t116 - 0x40);
							_push(_t112);
							 *(_t116 - 4) = 2;
							_t59 = E00409371(_t86, _t116 - 0x68, _t110, _t112, _t114, __eflags); // executed
							__eflags = _t59;
							if(__eflags != 0) {
								__eflags =  *(_t116 - 0x48) >> 0x00000004 & 0x00000001;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t116 - 0x40)));
									 *(_t116 - 4) = 1;
									L00408BFB(_t86, _t112, _t114, __eflags);
									L21:
									E00408639(_t116 - 0x18, _t116, _t116 - 0x24);
									while(1) {
										__eflags = _t114 -  *(_t116 - 0x14);
										if(__eflags >= 0) {
											break;
										}
										_t114 = E00406E0F(_t116 - 0x18, 0x5c, _t114 + 1);
										__eflags = _t114;
										if(_t114 < 0) {
											_t114 =  *(_t116 - 0x14);
										}
										_t67 = E00408730(_t116 - 0x18, _t116 - 0x30, _t114);
										 *(_t116 - 4) = 4;
										_t68 = E00410B45(_t86, _t112, _t114, __eflags,  *_t67);
										_push( *((intOrPtr*)(_t116 - 0x30)));
										asm("sbb bl, bl");
										_t86 =  ~_t68 + 1;
										 *(_t116 - 4) = 1;
										L00408BFB(_t86, _t112, _t114, __eflags);
										__eflags = _t86;
										if(__eflags != 0) {
											goto L27;
										} else {
											continue;
										}
										goto L29;
									}
									_push( *((intOrPtr*)(_t116 - 0x24)));
									L00408BFB(_t86, _t112, _t114, __eflags);
									_push( *((intOrPtr*)(_t116 - 0x18)));
									L00408BFB(_t86, _t112, _t114, __eflags);
									_t72 = 1;
								} else {
									_t89 = 0;
									goto L16;
								}
							} else {
								_t89 = 1;
								L16:
								_push( *((intOrPtr*)(_t116 - 0x40)));
								L00408BFB(_t89, _t112, _t114, __eflags);
								goto L17;
							}
						} else {
							_t114 = E004099B4(_t116 - 0x18, 0x5c);
							__eflags = _t114;
							if(__eflags < 0 || __eflags == 0) {
								_push( *((intOrPtr*)(_t116 - 0x24)));
								L00408BFB(_t86, _t112, _t114, __eflags);
								_push(_t112);
								L00408BFB(_t86, _t112, _t114, __eflags);
								_t72 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((short*)(_t112 + _t114 * 2 - 2)) - 0x3a;
								if(__eflags == 0) {
									L27:
									_t89 = 0;
									L17:
									_push( *((intOrPtr*)(_t116 - 0x24)));
									L00408BFB(_t89, _t112, _t114, __eflags);
									_push( *((intOrPtr*)(_t116 - 0x18)));
									L00408BFB(_t89, _t112, _t114, __eflags);
									_t72 = _t89;
								} else {
									_t81 = E00408730(_t116 - 0x18, _t116 - 0x30, _t114);
									 *(_t116 - 4) = 3;
									E00408639(_t116 - 0x18, _t116, _t81);
									_push( *((intOrPtr*)(_t116 - 0x30)));
									 *(_t116 - 4) = 1;
									L00408BFB(_t86, _t112, _t114, __eflags);
									continue;
								}
							}
						}
						L29:
						goto L30;
					}
					goto L21;
				} else {
					_t107 =  *(_t116 - 0x14);
					_t110 = _t107 - 1;
					if(_t53 != _t107 - 1) {
						goto L6;
					} else {
						if(_t107 != 3) {
							L5:
							E00406DDA(_t116 - 0x18, _t53, 1);
							goto L6;
						} else {
							_t109 =  *((intOrPtr*)(_t116 - 0x18));
							_t121 =  *((short*)(_t109 + 2)) - 0x3a;
							if( *((short*)(_t109 + 2)) != 0x3a) {
								goto L5;
							} else {
								_push(_t109);
								L00408BFB(__ebx, __edi, __esi, _t121);
								_t72 = 1;
							}
						}
					}
				}
				L30:
				return E00416BF9(_t72);
			}

















                                                            0x00410f49
                                                            0x00410f49
                                                            0x00410f50
                                                            0x00410f5b
                                                            0x00410f60
                                                            0x00410f69
                                                            0x00410f70
                                                            0x00410fa3
                                                            0x00410faa
                                                            0x00410faf
                                                            0x00410fb2
                                                            0x00411012
                                                            0x00411012
                                                            0x00411016
                                                            0x0041101b
                                                            0x0041101d
                                                            0x00000000
                                                            0x00000000
                                                            0x00410fb8
                                                            0x00410fbe
                                                            0x00410fc3
                                                            0x00411024
                                                            0x00411029
                                                            0x0041102d
                                                            0x00411031
                                                            0x00411036
                                                            0x00411038
                                                            0x00411062
                                                            0x00411064
                                                            0x0041106a
                                                            0x0041106d
                                                            0x00411071
                                                            0x00411077
                                                            0x0041107e
                                                            0x004110cb
                                                            0x004110cb
                                                            0x004110ce
                                                            0x00000000
                                                            0x00000000
                                                            0x00411091
                                                            0x00411093
                                                            0x00411095
                                                            0x00411097
                                                            0x00411097
                                                            0x004110a2
                                                            0x004110a9
                                                            0x004110ad
                                                            0x004110b2
                                                            0x004110b9
                                                            0x004110bb
                                                            0x004110bd
                                                            0x004110c1
                                                            0x004110c7
                                                            0x004110c9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004110c9
                                                            0x004110d0
                                                            0x004110d3
                                                            0x004110d8
                                                            0x004110db
                                                            0x004110e0
                                                            0x00411066
                                                            0x00411066
                                                            0x00000000
                                                            0x00411066
                                                            0x0041103a
                                                            0x0041103a
                                                            0x0041103c
                                                            0x0041103c
                                                            0x0041103f
                                                            0x00000000
                                                            0x00411044
                                                            0x00410fc5
                                                            0x00410fcf
                                                            0x00410fd1
                                                            0x00410fd3
                                                            0x004110eb
                                                            0x004110ee
                                                            0x004110f3
                                                            0x004110f4
                                                            0x004110f9
                                                            0x004110f9
                                                            0x00410fdf
                                                            0x00410fdf
                                                            0x00410fe5
                                                            0x004110e4
                                                            0x004110e4
                                                            0x00411045
                                                            0x00411045
                                                            0x00411048
                                                            0x0041104d
                                                            0x00411050
                                                            0x00411055
                                                            0x00410feb
                                                            0x00410ff3
                                                            0x00410ffc
                                                            0x00411000
                                                            0x00411005
                                                            0x00411008
                                                            0x0041100c
                                                            0x00000000
                                                            0x00411011
                                                            0x00410fe5
                                                            0x00410fd3
                                                            0x004110fb
                                                            0x00000000
                                                            0x004110fb
                                                            0x00000000
                                                            0x00410f72
                                                            0x00410f72
                                                            0x00410f75
                                                            0x00410f7a
                                                            0x00000000
                                                            0x00410f7c
                                                            0x00410f7f
                                                            0x00410f98
                                                            0x00410f9e
                                                            0x00000000
                                                            0x00410f81
                                                            0x00410f81
                                                            0x00410f84
                                                            0x00410f89
                                                            0x00000000
                                                            0x00410f8b
                                                            0x00410f8b
                                                            0x00410f8c
                                                            0x00410f91
                                                            0x00410f91
                                                            0x00410f89
                                                            0x00410f7f
                                                            0x00410f7a
                                                            0x004110fc
                                                            0x00411102

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410F50
                                                            • GetLastError.KERNEL32(?,?,0000005C), ref: 00410FB8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ErrorH_prolog3Last
                                                            • String ID:
                                                            • API String ID: 685212868-0
                                                            • Opcode ID: 26b8e7ef6f6e6a1153239e8f0ac4f4cbe582f211056244c430997547e544c5d7
                                                            • Instruction ID: 2b8b99b76f60da9ec8f06de1b1a7b26d76a5bde200671efe753bb86a2765d737
                                                            • Opcode Fuzzy Hash: 26b8e7ef6f6e6a1153239e8f0ac4f4cbe582f211056244c430997547e544c5d7
                                                            • Instruction Fuzzy Hash: 8151B131C04149DACF11E791C992AEEBB749F15308F10406FF281731E3CE7A69C6EAA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00413CE0, Relevance: 3.1, APIs: 2, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E00413CE0(void* __ecx, intOrPtr __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				signed int _t54;
				intOrPtr* _t56;
				char _t64;
				char _t68;
				void* _t69;
				char _t75;
				char _t77;
				char _t78;
				signed int _t82;
				intOrPtr _t83;
				signed int _t84;
				intOrPtr _t98;
				char _t99;
				char _t102;
				intOrPtr _t103;
				void* _t104;
				signed int _t105;
				void* _t107;
				void* _t108;

				_t95 = __edx;
				_t105 = _t107 - 0x1004;
				E00417EA0(0x1004);
				_push(0xffffffff);
				_push(E00422276);
				_push( *[fs:0x0]);
				_t108 = _t107 - 0x2c;
				_t53 =  *0x42d330; // 0x41c6c370
				_t54 = _t53 ^ _t105;
				 *(_t105 + 0x1000) = _t54;
				_push(_t54);
				 *[fs:0x0] = _t105 - 0xc;
				_t56 =  *((intOrPtr*)(_t105 + 0x1010));
				_t97 =  *((intOrPtr*)(_t105 + 0x100c));
				 *((intOrPtr*)(_t56 + 4)) = 0;
				 *((intOrPtr*)(_t105 - 0x28)) = _t56;
				 *((char*)( *_t56)) = 0;
				 *(_t105 - 0x18) =  *(_t105 - 0x18) | 0xffffffff;
				 *((intOrPtr*)(_t105 - 0x34)) = __edx;
				 *((intOrPtr*)(_t105 - 0x30)) =  *((intOrPtr*)(_t105 + 0x100c));
				 *(_t105 - 4) = 0;
				if(E0040995B(__ecx) != 0) {
					 *((intOrPtr*)(_t105 - 0x14)) = E00408C55(__edx);
					 *((intOrPtr*)(_t105 - 0x24)) = E00408C55(_t97);
					_t102 = 0;
					__eflags = 0;
					 *((char*)(_t105 - 0xd)) = 0;
					 *((intOrPtr*)(_t105 - 0x20)) = 0;
					 *((intOrPtr*)(_t105 - 0x1c)) = 0;
					while(1) {
						L4:
						_t64 = E00409578(_t105 - 0x18, _t105 + _t102, 0x1000 - _t102, _t105 - 0x2c); // executed
						__eflags = _t64;
						if(_t64 == 0) {
							goto L1;
						}
						_t68 =  *((intOrPtr*)(_t105 - 0x2c));
						__eflags = _t68;
						if(_t68 == 0) {
							L19:
							_t82 = 1;
						} else {
							_t104 = _t102 + _t68;
							_t99 = 0;
							__eflags = 0;
							_t84 = _t105;
							while(1) {
								__eflags =  *((char*)(_t105 - 0xd));
								_t69 = _t104;
								if( *((char*)(_t105 - 0xd)) != 0) {
								}
								L8:
								__eflags = _t99 - _t69 -  *((intOrPtr*)(_t105 - 0x24));
								if(_t99 > _t69 -  *((intOrPtr*)(_t105 - 0x24))) {
									L16:
									_t102 = _t104 - _t99;
									 *((intOrPtr*)(_t105 - 0x20)) =  *((intOrPtr*)(_t105 - 0x20)) + _t99;
									asm("adc dword [ebp-0x1c], 0x0");
									E00416C30(_t84, _t99, _t102, _t105, _t105 + _t99, _t102);
									_t108 = _t108 + 0xc;
									__eflags =  *((intOrPtr*)(_t105 - 0x1c));
									if( *((intOrPtr*)(_t105 - 0x1c)) > 0) {
										L18:
										__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t105 - 0x28)) + 4));
										_t82 = _t84 & 0xffffff00 |  *((intOrPtr*)( *((intOrPtr*)(_t105 - 0x28)) + 4)) == 0x00000000;
									} else {
										__eflags =  *((intOrPtr*)(_t105 - 0x20)) - 0x100000;
										if( *((intOrPtr*)(_t105 - 0x20)) <= 0x100000) {
											goto L4;
										} else {
											goto L18;
										}
									}
								} else {
									_t77 = E00415060(_t84,  *((intOrPtr*)(_t105 - 0x30)),  *((intOrPtr*)(_t105 - 0x24)));
									_t108 = _t108 + 0xc;
									__eflags = _t77;
									if(_t77 == 0) {
										goto L19;
									} else {
										_t78 =  *_t84;
										 *((char*)(_t105 - 0x38)) = _t78;
										__eflags = _t78;
										if(__eflags == 0) {
											goto L1;
										} else {
											E00408D38( *((intOrPtr*)(_t105 - 0x28)), _t95, __eflags,  *((intOrPtr*)(_t105 - 0x38)));
											L12:
											_t99 = _t99 + 1;
											_t84 = _t84 + 1;
											while(1) {
												__eflags =  *((char*)(_t105 - 0xd));
												_t69 = _t104;
												if( *((char*)(_t105 - 0xd)) != 0) {
												}
												goto L13;
											}
											goto L8;
										}
									}
								}
								goto L2;
								L13:
								__eflags = _t99 - _t69 -  *((intOrPtr*)(_t105 - 0x14));
								if(_t99 > _t69 -  *((intOrPtr*)(_t105 - 0x14))) {
									goto L16;
								} else {
									_t75 = E00415060(_t84,  *((intOrPtr*)(_t105 - 0x34)),  *((intOrPtr*)(_t105 - 0x14)));
									_t108 = _t108 + 0xc;
									__eflags = _t75;
									if(_t75 != 0) {
										goto L12;
									} else {
										_t99 = _t99 +  *((intOrPtr*)(_t105 - 0x14));
										_t84 = _t84 +  *((intOrPtr*)(_t105 - 0x14));
										 *((char*)(_t105 - 0xd)) = 1;
									}
									continue;
								}
								goto L2;
							}
						}
						goto L2;
					}
					goto L1;
				} else {
					L1:
					_t82 = 0;
				}
				L2:
				 *(_t105 - 4) =  *(_t105 - 4) | 0xffffffff;
				L0040969F(_t105 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t105 - 0xc));
				_pop(_t98);
				_pop(_t103);
				_pop(_t83);
				return E00416B12(_t82, _t83,  *(_t105 + 0x1000) ^ _t105, _t95, _t98, _t103);
			}


























                                                            0x00413ce0
                                                            0x00413ce1
                                                            0x00413ced
                                                            0x00413cf2
                                                            0x00413cf4
                                                            0x00413cff
                                                            0x00413d00
                                                            0x00413d03
                                                            0x00413d08
                                                            0x00413d0a
                                                            0x00413d13
                                                            0x00413d17
                                                            0x00413d1d
                                                            0x00413d23
                                                            0x00413d2b
                                                            0x00413d2e
                                                            0x00413d35
                                                            0x00413d37
                                                            0x00413d3b
                                                            0x00413d3e
                                                            0x00413d45
                                                            0x00413d4f
                                                            0x00413d8d
                                                            0x00413d95
                                                            0x00413d98
                                                            0x00413d98
                                                            0x00413d9a
                                                            0x00413d9e
                                                            0x00413da1
                                                            0x00413da4
                                                            0x00413da4
                                                            0x00413db8
                                                            0x00413dbd
                                                            0x00413dbf
                                                            0x00000000
                                                            0x00000000
                                                            0x00413dc1
                                                            0x00413dc4
                                                            0x00413dc6
                                                            0x00413e74
                                                            0x00413e74
                                                            0x00413dcc
                                                            0x00413dcc
                                                            0x00413dce
                                                            0x00413dce
                                                            0x00413dd0
                                                            0x00413dd3
                                                            0x00413dd3
                                                            0x00413dd7
                                                            0x00413dd9
                                                            0x00413dd9
                                                            0x00413ddb
                                                            0x00413dde
                                                            0x00413de0
                                                            0x00413e37
                                                            0x00413e37
                                                            0x00413e39
                                                            0x00413e41
                                                            0x00413e4a
                                                            0x00413e4f
                                                            0x00413e52
                                                            0x00413e56
                                                            0x00413e65
                                                            0x00413e68
                                                            0x00413e6c
                                                            0x00413e58
                                                            0x00413e58
                                                            0x00413e5f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00413e5f
                                                            0x00413de2
                                                            0x00413de9
                                                            0x00413dee
                                                            0x00413df1
                                                            0x00413df3
                                                            0x00000000
                                                            0x00413df5
                                                            0x00413df5
                                                            0x00413df7
                                                            0x00413dfa
                                                            0x00413dfc
                                                            0x00000000
                                                            0x00413e02
                                                            0x00413e08
                                                            0x00413e0d
                                                            0x00413e0d
                                                            0x00413e0e
                                                            0x00413dd3
                                                            0x00413dd3
                                                            0x00413dd7
                                                            0x00413dd9
                                                            0x00413dd9
                                                            0x00000000
                                                            0x00413dd9
                                                            0x00000000
                                                            0x00413dd3
                                                            0x00413dfc
                                                            0x00413df3
                                                            0x00000000
                                                            0x00413e11
                                                            0x00413e14
                                                            0x00413e16
                                                            0x00000000
                                                            0x00413e18
                                                            0x00413e1f
                                                            0x00413e24
                                                            0x00413e27
                                                            0x00413e29
                                                            0x00000000
                                                            0x00413e2b
                                                            0x00413e2b
                                                            0x00413e2e
                                                            0x00413e31
                                                            0x00413e31
                                                            0x00000000
                                                            0x00413e29
                                                            0x00000000
                                                            0x00413e16
                                                            0x00413dd3
                                                            0x00000000
                                                            0x00413dc6
                                                            0x00000000
                                                            0x00413d51
                                                            0x00413d51
                                                            0x00413d51
                                                            0x00413d51
                                                            0x00413d53
                                                            0x00413d53
                                                            0x00413d5a
                                                            0x00413d64
                                                            0x00413d6c
                                                            0x00413d6d
                                                            0x00413d6e
                                                            0x00413d83

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: 78ef38fa871b7c9593758ba90e846cda18cf4e2d7fe881e8a5c084f9524df316
                                                            • Instruction ID: 9072c5b9033ec645a03ce027045230414212cc1cb81a3bdc800e690e571dd37c
                                                            • Opcode Fuzzy Hash: 78ef38fa871b7c9593758ba90e846cda18cf4e2d7fe881e8a5c084f9524df316
                                                            • Instruction Fuzzy Hash: D5519072D002489FCF21DFA9D980BDEBBB4FF08355F14416AE855B3291D7389A84CB68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C093, Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 97%
                                                            			E0040C093(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				long _t29;
				intOrPtr* _t30;
				intOrPtr* _t36;
				intOrPtr* _t43;
				void* _t56;
				long _t60;
				void* _t61;

				_t59 = __esi;
				_t56 = __edx;
				_push(0xc);
				E00416B21(E00421A6F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t61 - 0x18)) = __ecx;
				 *((intOrPtr*)(_t61 - 0x10)) = 0;
				_t58 = 0;
				 *(_t61 - 4) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *(_t61 - 4) = 1;
				_t63 =  *((intOrPtr*)(_t61 + 0x10));
				if( *((intOrPtr*)(_t61 + 0x10)) == 0) {
					__eflags =  *((intOrPtr*)(_t61 + 0x14));
					if(__eflags != 0) {
						L12:
						_t29 = E0040BD49(0,  *((intOrPtr*)(_t61 - 0x18)), _t56, _t58, _t59, _t64,  *((intOrPtr*)(_t61 + 8)),  *((intOrPtr*)(_t61 + 0xc)),  *((intOrPtr*)(_t61 + 0x14)), _t58,  *((intOrPtr*)(_t61 + 0x18))); // executed
						_t60 = _t29;
						 *(_t61 - 4) = 0;
						if(_t58 != 0) {
							 *((intOrPtr*)( *_t58 + 8))(_t58);
						}
						L14:
						_t30 =  *((intOrPtr*)(_t61 - 0x10));
						 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
						if(_t30 != 0) {
							 *((intOrPtr*)( *_t30 + 8))(_t30);
						}
						return E00416BF9(_t60);
					}
					_t36 = E00408BD0(0, 0, __eflags, 0x10);
					__eflags = _t36;
					if(_t36 == 0) {
						_t59 = 0;
						__eflags = 0;
					} else {
						_t59 = E0040B3F7(_t36);
					}
					E00406200(_t61 - 0x10, _t59);
					__eflags = E00409D98(_t59,  *((intOrPtr*)( *((intOrPtr*)(_t61 - 0x18)) + 4)));
					if(__eflags != 0) {
						 *((intOrPtr*)(_t61 + 0x14)) =  *((intOrPtr*)(_t61 - 0x10));
						goto L12;
					} else {
						_t60 = GetLastError();
						goto L14;
					}
				}
				_t43 = E00408BD0(0, 0, _t63, 8);
				_t64 = _t43;
				if(_t43 == 0) {
					_t43 = 0;
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t43 + 4)) = 0;
					 *_t43 = 0x4239fc;
				}
				E00406200(_t61 - 0x14, _t43);
				_t58 =  *((intOrPtr*)(_t61 - 0x14));
				goto L12;
			}










                                                            0x0040c093
                                                            0x0040c093
                                                            0x0040c093
                                                            0x0040c09a
                                                            0x0040c09f
                                                            0x0040c0a4
                                                            0x0040c0a7
                                                            0x0040c0a9
                                                            0x0040c0ac
                                                            0x0040c0af
                                                            0x0040c0b3
                                                            0x0040c0b6
                                                            0x0040c0df
                                                            0x0040c0e2
                                                            0x0040c127
                                                            0x0040c137
                                                            0x0040c13c
                                                            0x0040c13e
                                                            0x0040c143
                                                            0x0040c148
                                                            0x0040c148
                                                            0x0040c14b
                                                            0x0040c14b
                                                            0x0040c14e
                                                            0x0040c154
                                                            0x0040c159
                                                            0x0040c159
                                                            0x0040c163
                                                            0x0040c163
                                                            0x0040c0e6
                                                            0x0040c0ec
                                                            0x0040c0ee
                                                            0x0040c0fb
                                                            0x0040c0fb
                                                            0x0040c0f0
                                                            0x0040c0f7
                                                            0x0040c0f7
                                                            0x0040c101
                                                            0x0040c113
                                                            0x0040c115
                                                            0x0040c124
                                                            0x00000000
                                                            0x0040c117
                                                            0x0040c11d
                                                            0x00000000
                                                            0x0040c11d
                                                            0x0040c115
                                                            0x0040c0ba
                                                            0x0040c0c0
                                                            0x0040c0c2
                                                            0x0040c0cf
                                                            0x0040c0cf
                                                            0x0040c0c4
                                                            0x0040c0c4
                                                            0x0040c0c7
                                                            0x0040c0c7
                                                            0x0040c0d5
                                                            0x0040c0da
                                                            0x00000000

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040C09A
                                                            • GetLastError.KERNEL32(?,00000000,0000000C), ref: 0040C117
                                                              • Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ErrorException@8H_prolog3LastThrow_malloc
                                                            • String ID:
                                                            • API String ID: 699586071-0
                                                            • Opcode ID: 6f71e3ce7b022161a9afa57649c5e0132424b33a35054e030d14f24926955252
                                                            • Instruction ID: a1ba42dc0e2565b842cce3423af7a9164aaecf9ecffcd2708a80ee49d7a1a354
                                                            • Opcode Fuzzy Hash: 6f71e3ce7b022161a9afa57649c5e0132424b33a35054e030d14f24926955252
                                                            • Instruction Fuzzy Hash: E7217E71900256DFCB10EFE5C8818AFBBB1AF44310F11417EE501BB292CB388E51DB99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411356, Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E00411356(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t27;
				long _t28;
				void* _t32;
				void* _t34;
				intOrPtr* _t37;
				void* _t38;
				void* _t39;
				signed int _t41;

				_t39 = __eflags;
				_t35 = __edi;
				_t34 = __edx;
				_t29 = __ebx;
				_push(0x10);
				E00416B21(E00421DA7, __ebx, __edi, __esi);
				 *((char*)(_t38 - 0x1c)) = 0;
				E0040320A(_t38 - 0x18);
				_t37 =  *((intOrPtr*)(_t38 + 0xc));
				while(1) {
					 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
					_push(_t37);
					_push( *((intOrPtr*)(_t38 + 8)));
					_t19 = E004112DF(_t29, _t38 - 0x1c, _t35, _t37, _t39); // executed
					_t32 = _t38 - 0x1c;
					if(_t19 == 0) {
						break;
					}
					_t20 = E00410ED7(_t32);
					 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
					_t32 = _t38 - 0x1c;
					__eflags = _t20;
					if(__eflags == 0) {
						L8:
						E00410EFB(_t29, _t32, _t35, _t37, _t41);
						goto L9;
					} else {
						E00410EFB(_t29, _t32, _t35, _t37, __eflags);
						_push( *_t37);
						__eflags = E004093A5(_t29, _t34, _t35, _t37, __eflags);
						if(__eflags != 0) {
							L5:
							 *((char*)(_t38 - 0x1c)) = 0;
							E0040320A(_t38 - 0x18);
							continue;
						} else {
							_t27 = E00410B45(_t29, _t35, _t37, __eflags,  *_t37); // executed
							__eflags = _t27;
							if(_t27 != 0) {
								_t22 = 1;
							} else {
								_t28 = GetLastError();
								__eflags = _t28 - 0xb7;
								if(_t28 != 0xb7) {
									L9:
									_t22 = 0;
								} else {
									goto L5;
								}
							}
						}
					}
					return E00416BF9(_t22);
				}
				_t14 = _t38 - 4;
				 *_t14 =  *(_t38 - 4) | 0xffffffff;
				_t41 =  *_t14;
				goto L8;
			}














                                                            0x00411356
                                                            0x00411356
                                                            0x00411356
                                                            0x00411356
                                                            0x00411356
                                                            0x0041135d
                                                            0x00411365
                                                            0x00411369
                                                            0x0041136e
                                                            0x004113b7
                                                            0x004113b7
                                                            0x004113bb
                                                            0x004113bc
                                                            0x004113c2
                                                            0x004113c7
                                                            0x004113cc
                                                            0x00000000
                                                            0x00000000
                                                            0x00411373
                                                            0x00411378
                                                            0x0041137c
                                                            0x0041137f
                                                            0x00411381
                                                            0x004113d2
                                                            0x004113d2
                                                            0x00000000
                                                            0x00411383
                                                            0x00411383
                                                            0x00411388
                                                            0x0041138f
                                                            0x00411391
                                                            0x004113ab
                                                            0x004113ae
                                                            0x004113b2
                                                            0x00000000
                                                            0x00411393
                                                            0x00411395
                                                            0x0041139a
                                                            0x0041139c
                                                            0x004113e1
                                                            0x0041139e
                                                            0x0041139e
                                                            0x004113a4
                                                            0x004113a9
                                                            0x004113d7
                                                            0x004113d7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004113a9
                                                            0x0041139c
                                                            0x00411391
                                                            0x004113de
                                                            0x004113de
                                                            0x004113ce
                                                            0x004113ce
                                                            0x004113ce
                                                            0x00000000

                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000010), ref: 0041139E
                                                            • __EH_prolog3.LIBCMT ref: 0041135D
                                                              • Part of subcall function 004112DF: __EH_prolog3.LIBCMT ref: 004112E6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1123136255-0
                                                            • Opcode ID: 96578f8bff04cf8a7b456c39c0e24a1343eb24f2b3f1e351b7eec449cc7ada3b
                                                            • Instruction ID: 4d74e45737cbc16d5ab25d606c96acb1679b630d10f22d458e1cb79225f15e9c
                                                            • Opcode Fuzzy Hash: 96578f8bff04cf8a7b456c39c0e24a1343eb24f2b3f1e351b7eec449cc7ada3b
                                                            • Instruction Fuzzy Hash: D0016130804209D6EF10EFA2C4127EE7B30AF21318F50455EE9B5725E6CB7D5ACA9A2D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004094D4, Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E004094D4(void** __ecx, long _a4, long _a8, long _a12, long* _a16) {
				long _v8;
				long _v12;
				long _t12;
				long _t13;
				long* _t14;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_v8 = _a8;
				_v12 = _t12;
				_t13 = SetFilePointer( *__ecx, _t12,  &_v8, _a12); // executed
				_v12 = _t13;
				if(_t13 != 0xffffffff || GetLastError() == 0) {
					_t14 = _a16;
					 *_t14 = _v12;
					_t14[1] = _v8;
					return 1;
				} else {
					return 0;
				}
			}








                                                            0x004094d7
                                                            0x004094d8
                                                            0x004094df
                                                            0x004094e2
                                                            0x004094ec
                                                            0x004094ef
                                                            0x004094f5
                                                            0x004094fb
                                                            0x0040950b
                                                            0x00409511
                                                            0x00409516
                                                            0x00000000
                                                            0x00409507
                                                            0x00000000
                                                            0x00409507

                                                            APIs
                                                            • SetFilePointer.KERNELBASE(?,?,?,?), ref: 004094EF
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 004094FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: fa3f465384efa713828032d14a6a94ea8478530fef4b6e82bf37657b339afb13
                                                            • Instruction ID: fbd6efd8cf4175c4798840f9bed2d540fd355ead534814f07e711e1958e42c6f
                                                            • Opcode Fuzzy Hash: fa3f465384efa713828032d14a6a94ea8478530fef4b6e82bf37657b339afb13
                                                            • Instruction Fuzzy Hash: 73F03AB9A00208FFCF05CFA4D8848AE7BB4EF89310B108569F815A7395C734DE41EB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004179F7, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004179F7(void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t12;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				E00417B6C(_t12, __edi, __esi);
				_t8 = E00418908(_t12, __edx, __edi, _t21);
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				E004179BA( *((intOrPtr*)(_t8 + 0x54))( *((intOrPtr*)(_t8 + 0x58)), 0x42a4b0, 0xc)); // executed
				 *((intOrPtr*)(_t20 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				return E0041B09E(_t12,  *(_t20 - 4),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14)))))),  *((intOrPtr*)(_t20 - 0x14)));
			}







                                                            0x004179f7
                                                            0x004179fe
                                                            0x00417a03
                                                            0x00417a08
                                                            0x00417a13
                                                            0x00417a1f
                                                            0x00417a2b

                                                            APIs
                                                            • __getptd.LIBCMT ref: 00417A03
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                              • Part of subcall function 004179BA: __IsNonwritableInCurrentImage.LIBCMT ref: 004179CD
                                                              • Part of subcall function 004179BA: __getptd_noexit.LIBCMT ref: 004179DD
                                                              • Part of subcall function 004179BA: __freeptd.LIBCMT ref: 004179E7
                                                              • Part of subcall function 004179BA: ExitThread.KERNEL32 ref: 004179F0
                                                            • __XcptFilter.LIBCMT ref: 00417A24
                                                              • Part of subcall function 0041B09E: __getptd_noexit.LIBCMT ref: 0041B0A6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
                                                            • String ID:
                                                            • API String ID: 393088965-0
                                                            • Opcode ID: 6215b15f5c09947322d8b88f687601d361d4533a62d598d40856043c2456a924
                                                            • Instruction ID: 73bea7e35d643c5b26081d1ecd72eb0c33755df2b749e5cd7e68a975cd858d27
                                                            • Opcode Fuzzy Hash: 6215b15f5c09947322d8b88f687601d361d4533a62d598d40856043c2456a924
                                                            • Instruction Fuzzy Hash: E7E0ECB1E146049FE718BBA1CD46FBE7775EF44309F21404EF1016B2A2CB7DAD849A29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408BD0, Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00408BD0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v5;
				void* _t6;
				void* _t13;

				_t6 = E00417414(__ebx, _t13, __edi, _a4); // executed
				if(_t6 == 0) {
					asm("stosb");
					return E004166E0( &_v5, 0x429378);
				}
				return _t6;
			}






                                                            0x00408bd7
                                                            0x00408bdf
                                                            0x00408be4
                                                            0x00000000
                                                            0x00408bf4
                                                            0x00408bfa

                                                            APIs
                                                            • _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00417414: __FF_MSGBANNER.LIBCMT ref: 00417437
                                                              • Part of subcall function 00417414: __NMSG_WRITE.LIBCMT ref: 0041743E
                                                              • Part of subcall function 00417414: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C,00419EC2), ref: 0041748B
                                                            • __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                              • Part of subcall function 004166E0: RaiseException.KERNEL32(?,?,?,00000001), ref: 00416722
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_malloc
                                                            • String ID:
                                                            • API String ID: 2732643326-0
                                                            • Opcode ID: d4306bca08c0742015f8dd9fb624f9e6256735586e9571db0372f55418b293d0
                                                            • Instruction ID: 04aa4d66bcb8eae7d744240562f1434118ced274b530ac757c2cc185b7e384fe
                                                            • Opcode Fuzzy Hash: d4306bca08c0742015f8dd9fb624f9e6256735586e9571db0372f55418b293d0
                                                            • Instruction Fuzzy Hash: A0D05E3490834979CF01EBA5D802AEE7F7C4945298B4004EAE84062243DA7AE64F9668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041AA52, Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041AA52(int _a4) {

				E0041AA27(_a4);
				ExitProcess(_a4);
			}



                                                            0x0041aa5a
                                                            0x0041aa63

                                                            APIs
                                                            • ___crtCorExitProcess.LIBCMT ref: 0041AA5A
                                                              • Part of subcall function 0041AA27: GetModuleHandleW.KERNEL32(mscoree.dll,?,0041AA5F,?,?,0041744D,000000FF,0000001E,?,0041ADD9,?,00000001,?,?,00419E31,00000018), ref: 0041AA31
                                                              • Part of subcall function 0041AA27: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041AA41
                                                            • ExitProcess.KERNEL32 ref: 0041AA63
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                            • String ID:
                                                            • API String ID: 2427264223-0
                                                            • Opcode ID: cdf78dcfc99b7c62e93538ae0455f7e7501f9fd1b3385d9253a2e476e9fb477e
                                                            • Instruction ID: 4374e543243410c85885a680b655107df52ba2b40df2f57ce153712b46731692
                                                            • Opcode Fuzzy Hash: cdf78dcfc99b7c62e93538ae0455f7e7501f9fd1b3385d9253a2e476e9fb477e
                                                            • Instruction Fuzzy Hash: EEB09231100148BBCB112F12DC0A8993F2AEF817A6B508026F91809031DF76EEB2DA99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C166, Relevance: 1.9, APIs: 1, Instructions: 363COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E0040C166(void* __ebx, intOrPtr __ecx, signed int __edi, void* __esi, void* __eflags) {
				void* __ebp;
				void* _t164;
				signed int _t168;
				signed int _t170;
				intOrPtr* _t173;
				signed int _t174;
				intOrPtr* _t176;
				intOrPtr* _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t183;
				signed int _t184;
				signed int _t188;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t198;
				signed int _t200;
				signed int _t202;
				signed int _t203;
				signed int _t207;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t235;
				intOrPtr _t243;
				signed int _t245;
				intOrPtr* _t246;
				signed int _t248;
				void* _t253;
				signed int _t300;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed int _t307;
				intOrPtr* _t308;

				_t300 = __edi;
				_push(0x78);
				_t164 = E00416B21(E00421AC5, __ebx, __edi, __esi);
				_t243 = __ecx;
				 *((intOrPtr*)(_t308 + 0x18)) = __ecx;
				E0040B772(_t164, __ecx);
				if( *((intOrPtr*)( *((intOrPtr*)(_t308 + 0x38)) + 8)) < 0x20) {
					while(1) {
						_t304 =  *((intOrPtr*)(_t308 + 0x38));
						_t168 =  *(_t304 + 8);
						_t248 =  *(_t243 + 8);
						_t300 = _t300 | 0xffffffff;
						__eflags = _t168 - 1;
						 *(_t308 + 0x14) = _t300;
						if(_t168 < 1) {
							goto L6;
						}
						L4:
						__eflags = _t248 - _t168;
						if(_t248 >= _t168) {
							L53:
							__eflags =  *(_t243 + 8);
							 *((char*)(_t243 + 0x30)) = _t168 & 0xffffff00 |  *(_t243 + 8) != 0x00000000;
							_t170 = 0;
							__eflags = 0;
							goto L54;
						} else {
							 *(_t308 + 0x14) =  *(_t304 + (_t168 - _t248) * 4 - 4);
							L7:
							__eflags = _t248;
							if(__eflags != 0) {
								_t306 =  *((intOrPtr*)( *((intOrPtr*)(_t243 + 0xc)) + _t248 * 4 - 4));
								 *((short*)(_t308 + 4)) = 0;
								 *((short*)(_t308 + 6)) = 0;
								_t173 =  *_t306;
								 *(_t308 - 4) = 1;
								_t174 =  *((intOrPtr*)( *_t173 + 0x20))(_t173, 1, _t308 + 4);
								__eflags = _t174;
								if(_t174 != 0) {
									L36:
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									_t307 = _t174;
									E00409A4A(_t308 + 4);
									L35:
									_t170 = _t307;
									goto L54;
								}
								__eflags =  *((short*)(_t308 + 4)) - 0x13;
								if( *((short*)(_t308 + 4)) != 0x13) {
									_t160 = _t308 - 4;
									 *_t160 =  *(_t308 - 4) | 0xffffffff;
									__eflags =  *_t160;
									_t253 = _t308 + 4;
									L75:
									_t168 = E00409A4A(_t253);
									goto L53;
								}
								_t176 =  *_t306;
								_t300 =  *(_t308 + 0xc);
								_t174 =  *((intOrPtr*)( *_t176 + 0x14))(_t176, _t308);
								__eflags = _t174;
								if(_t174 != 0) {
									goto L36;
								}
								 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
								_t253 = _t308 + 4;
								__eflags = _t300 -  *_t308;
								if(_t300 >=  *_t308) {
									goto L75;
								}
								E00409A4A(_t253);
								 *(_t308 + 0x28) =  *(_t308 + 0x28) & 0x00000000;
								_t178 =  *_t306;
								 *(_t308 - 4) = 2;
								_t179 =  *((intOrPtr*)( *_t178))(_t178, 0x424104, _t308 + 0x28);
								__eflags = _t179;
								_t168 =  *(_t308 + 0x28);
								if(_t179 != 0) {
									L72:
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t168;
									if(_t168 != 0) {
										_t168 =  *((intOrPtr*)( *_t168 + 8))(_t168);
									}
									goto L53;
								}
								__eflags = _t168;
								if(_t168 == 0) {
									goto L72;
								}
								 *(_t308 + 0x20) =  *(_t308 + 0x20) & 0x00000000;
								 *(_t308 - 4) = 3;
								_t180 =  *((intOrPtr*)( *_t168 + 0xc))(_t168, _t300, _t308 + 0x20);
								__eflags = _t180;
								_t181 =  *(_t308 + 0x20);
								if(_t180 != 0) {
									L68:
									__eflags = _t181;
									L69:
									 *(_t308 - 4) = 2;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t181 + 8))(_t181);
									}
									_t168 =  *(_t308 + 0x28);
									goto L72;
								}
								__eflags = _t181;
								if(__eflags == 0) {
									goto L69;
								}
								 *(_t308 + 0x24) =  *(_t308 + 0x24) & 0x00000000;
								_t299 = _t308 + 0x24;
								 *(_t308 - 4) = 4;
								_t183 =  *((intOrPtr*)( *_t181))(_t181, 0x424004, _t308 + 0x24);
								__eflags = _t183;
								_t184 =  *(_t308 + 0x24);
								if(_t183 != 0) {
									L65:
									 *(_t308 - 4) = 3;
									__eflags = _t184;
									if(_t184 != 0) {
										 *((intOrPtr*)( *_t184 + 8))(_t184);
									}
									_t181 =  *(_t308 + 0x20);
									goto L68;
								}
								__eflags = _t184;
								if(__eflags == 0) {
									goto L65;
								}
								E0040B9D7(_t243, _t308 - 0x48, _t300, _t306, __eflags);
								_push(_t308 - 0x44);
								_push(_t300);
								 *(_t308 - 4) = 5;
								_t188 = E0040BA1B(_t243, _t306, _t300, _t306, __eflags);
								_t245 = _t188;
								__eflags = _t245;
								if(__eflags != 0) {
									L37:
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t190 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t190;
									if(_t190 != 0) {
										 *((intOrPtr*)( *_t190 + 8))(_t190);
									}
									_t191 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t191;
									if(_t191 != 0) {
										 *((intOrPtr*)( *_t191 + 8))(_t191);
									}
									_t192 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t192;
									if(_t192 != 0) {
										 *((intOrPtr*)( *_t192 + 8))(_t192);
									}
									_t170 = _t245;
									goto L54;
								}
								 *(_t308 + 0x1c) =  *(_t308 + 0x1c) & _t188;
								_t246 =  *((intOrPtr*)(_t308 + 0x48));
								 *(_t308 - 4) = 6;
								 *((intOrPtr*)( *_t246))(_t246, 0x424114, _t308 + 0x1c);
								_t198 =  *(_t308 + 0x1c);
								__eflags = _t198;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t198 + 0xc))(_t198,  *((intOrPtr*)(_t308 - 0x44)));
								}
								 *(_t308 - 0x28) = _t300;
								_t245 = E0040BD49(_t246, _t308 - 0x48, _t299, _t300, _t306, __eflags,  *((intOrPtr*)(_t308 + 0x34)),  *(_t308 + 0x14),  *(_t308 + 0x24), 0, _t246);
								__eflags = _t245 - 1;
								if(_t245 == 1) {
									_t200 =  *(_t308 + 0x1c);
									 *(_t308 - 4) = 5;
									__eflags = _t200;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t200 + 8))(_t200);
									}
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t202 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t202;
									if(_t202 != 0) {
										 *((intOrPtr*)( *_t202 + 8))(_t202);
									}
									_t203 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t203;
									if(_t203 != 0) {
										 *((intOrPtr*)( *_t203 + 8))(_t203);
									}
									_t168 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t168;
									if(_t168 != 0) {
										_t168 =  *((intOrPtr*)( *_t168 + 8))(_t168);
									}
									_t243 =  *((intOrPtr*)(_t308 + 0x18));
									goto L53;
								} else {
									__eflags = _t245;
									if(__eflags != 0) {
										_t207 =  *(_t308 + 0x1c);
										 *(_t308 - 4) = 5;
										__eflags = _t207;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t207 + 8))(_t207);
										}
										goto L37;
									}
									_t307 = E0040B7A3(_t245, _t306, _t300, _t306, __eflags, _t300, _t308 - 0x24, _t308 - 0x1c);
									__eflags = _t307;
									if(__eflags != 0) {
										_t212 =  *(_t308 + 0x1c);
										 *(_t308 - 4) = 5;
										__eflags = _t212;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t212 + 8))(_t212);
										}
										 *(_t308 - 4) = 4;
										E0040B864(_t308 - 0x48, __eflags);
										_t214 =  *(_t308 + 0x24);
										 *(_t308 - 4) = 3;
										__eflags = _t214;
										if(_t214 != 0) {
											 *((intOrPtr*)( *_t214 + 8))(_t214);
										}
										_t215 =  *(_t308 + 0x20);
										 *(_t308 - 4) = 2;
										__eflags = _t215;
										if(_t215 != 0) {
											 *((intOrPtr*)( *_t215 + 8))(_t215);
										}
										_t216 =  *(_t308 + 0x28);
										 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
										__eflags = _t216;
										if(_t216 != 0) {
											 *((intOrPtr*)( *_t216 + 8))(_t216);
										}
										goto L35;
									}
									_push(_t308 - 0x48);
									E0040BB33(_t245,  *((intOrPtr*)(_t308 + 0x18)), _t300, _t307, __eflags);
									_t223 =  *(_t308 + 0x1c);
									 *(_t308 - 4) = 5;
									__eflags = _t223;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t223 + 8))(_t223);
									}
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t225 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t225;
									if(_t225 != 0) {
										 *((intOrPtr*)( *_t225 + 8))(_t225);
									}
									_t226 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t226;
									if(_t226 != 0) {
										 *((intOrPtr*)( *_t226 + 8))(_t226);
									}
									_t227 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t227;
									if(_t227 != 0) {
										 *((intOrPtr*)( *_t227 + 8))(_t227);
									}
									_t243 =  *((intOrPtr*)(_t308 + 0x18));
									while(1) {
										_t304 =  *((intOrPtr*)(_t308 + 0x38));
										_t168 =  *(_t304 + 8);
										_t248 =  *(_t243 + 8);
										_t300 = _t300 | 0xffffffff;
										__eflags = _t168 - 1;
										 *(_t308 + 0x14) = _t300;
										if(_t168 < 1) {
											goto L6;
										}
										goto L4;
									}
								}
							}
							E0040B9D7(_t243, _t308 - 0x84, _t300, _t304, __eflags);
							 *(_t308 - 4) =  *(_t308 - 4) & 0x00000000;
							E00408639(_t308 - 0x80, _t308,  *((intOrPtr*)(_t308 + 0x44)));
							 *(_t308 - 0x64) = _t300;
							_t235 = E0040C093(_t243, _t308 - 0x84, 1, _t300, _t304, __eflags,  *((intOrPtr*)(_t308 + 0x34)),  *(_t308 + 0x14),  *((intOrPtr*)(_t308 + 0x3c)),  *((intOrPtr*)(_t308 + 0x40)),  *((intOrPtr*)(_t308 + 0x48))); // executed
							_t307 = _t235;
							__eflags = _t307;
							if(__eflags != 0) {
								 *(_t308 - 4) = _t300;
								E0040B864(_t308 - 0x84, __eflags);
								goto L35;
							}
							_push(_t308 - 0x84);
							E0040BB33(_t243, _t243, _t300, _t307, __eflags);
							 *(_t308 - 4) = _t300;
							E0040B864(_t308 - 0x84, __eflags);
							continue;
						}
						L6:
						__eflags = _t248 - 0x20;
						if(_t248 >= 0x20) {
							goto L53;
						}
						goto L7;
					}
				} else {
					_t170 = 0x80004001;
					L54:
					 *[fs:0x0] =  *((intOrPtr*)(_t308 - 0xc));
					return _t170;
				}
			}












































                                                            0x0040c166
                                                            0x0040c16a
                                                            0x0040c171
                                                            0x0040c176
                                                            0x0040c178
                                                            0x0040c17b
                                                            0x0040c189
                                                            0x0040c198
                                                            0x0040c198
                                                            0x0040c19b
                                                            0x0040c19e
                                                            0x0040c1a3
                                                            0x0040c1a7
                                                            0x0040c1a9
                                                            0x0040c1ac
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c1ae
                                                            0x0040c1ae
                                                            0x0040c1b0
                                                            0x0040c4be
                                                            0x0040c4be
                                                            0x0040c4c5
                                                            0x0040c4c8
                                                            0x0040c4c8
                                                            0x00000000
                                                            0x0040c1b6
                                                            0x0040c1bf
                                                            0x0040c1cd
                                                            0x0040c1cd
                                                            0x0040c1cf
                                                            0x0040c236
                                                            0x0040c23c
                                                            0x0040c240
                                                            0x0040c244
                                                            0x0040c24e
                                                            0x0040c251
                                                            0x0040c254
                                                            0x0040c256
                                                            0x0040c418
                                                            0x0040c418
                                                            0x0040c41f
                                                            0x0040c421
                                                            0x0040c411
                                                            0x0040c411
                                                            0x00000000
                                                            0x0040c411
                                                            0x0040c25c
                                                            0x0040c261
                                                            0x0040c58b
                                                            0x0040c58b
                                                            0x0040c58b
                                                            0x0040c58f
                                                            0x0040c592
                                                            0x0040c592
                                                            0x00000000
                                                            0x0040c592
                                                            0x0040c267
                                                            0x0040c26b
                                                            0x0040c273
                                                            0x0040c276
                                                            0x0040c278
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c27e
                                                            0x0040c282
                                                            0x0040c285
                                                            0x0040c288
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c28e
                                                            0x0040c293
                                                            0x0040c297
                                                            0x0040c2a5
                                                            0x0040c2ac
                                                            0x0040c2ae
                                                            0x0040c2b0
                                                            0x0040c2b3
                                                            0x0040c574
                                                            0x0040c574
                                                            0x0040c578
                                                            0x0040c57a
                                                            0x0040c583
                                                            0x0040c583
                                                            0x00000000
                                                            0x0040c57a
                                                            0x0040c2b9
                                                            0x0040c2bb
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c2c1
                                                            0x0040c2cd
                                                            0x0040c2d1
                                                            0x0040c2d4
                                                            0x0040c2d6
                                                            0x0040c2d9
                                                            0x0040c563
                                                            0x0040c563
                                                            0x0040c565
                                                            0x0040c565
                                                            0x0040c569
                                                            0x0040c56e
                                                            0x0040c56e
                                                            0x0040c571
                                                            0x00000000
                                                            0x0040c571
                                                            0x0040c2df
                                                            0x0040c2e1
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c2e7
                                                            0x0040c2ed
                                                            0x0040c2f7
                                                            0x0040c2fb
                                                            0x0040c2fd
                                                            0x0040c2ff
                                                            0x0040c302
                                                            0x0040c552
                                                            0x0040c552
                                                            0x0040c556
                                                            0x0040c558
                                                            0x0040c55d
                                                            0x0040c55d
                                                            0x0040c560
                                                            0x00000000
                                                            0x0040c560
                                                            0x0040c308
                                                            0x0040c30a
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c313
                                                            0x0040c31b
                                                            0x0040c31c
                                                            0x0040c31f
                                                            0x0040c323
                                                            0x0040c328
                                                            0x0040c32a
                                                            0x0040c32c
                                                            0x0040c428
                                                            0x0040c42b
                                                            0x0040c42f
                                                            0x0040c434
                                                            0x0040c437
                                                            0x0040c43b
                                                            0x0040c43d
                                                            0x0040c442
                                                            0x0040c442
                                                            0x0040c445
                                                            0x0040c448
                                                            0x0040c44c
                                                            0x0040c44e
                                                            0x0040c453
                                                            0x0040c453
                                                            0x0040c456
                                                            0x0040c459
                                                            0x0040c45d
                                                            0x0040c45f
                                                            0x0040c464
                                                            0x0040c464
                                                            0x0040c467
                                                            0x00000000
                                                            0x0040c467
                                                            0x0040c332
                                                            0x0040c335
                                                            0x0040c344
                                                            0x0040c348
                                                            0x0040c34a
                                                            0x0040c34d
                                                            0x0040c34f
                                                            0x0040c357
                                                            0x0040c357
                                                            0x0040c366
                                                            0x0040c371
                                                            0x0040c373
                                                            0x0040c376
                                                            0x0040c46b
                                                            0x0040c46e
                                                            0x0040c472
                                                            0x0040c474
                                                            0x0040c479
                                                            0x0040c479
                                                            0x0040c47f
                                                            0x0040c483
                                                            0x0040c488
                                                            0x0040c48b
                                                            0x0040c48f
                                                            0x0040c491
                                                            0x0040c496
                                                            0x0040c496
                                                            0x0040c499
                                                            0x0040c49c
                                                            0x0040c4a0
                                                            0x0040c4a2
                                                            0x0040c4a7
                                                            0x0040c4a7
                                                            0x0040c4aa
                                                            0x0040c4ad
                                                            0x0040c4b1
                                                            0x0040c4b3
                                                            0x0040c4b8
                                                            0x0040c4b8
                                                            0x0040c4bb
                                                            0x00000000
                                                            0x0040c37c
                                                            0x0040c37c
                                                            0x0040c37e
                                                            0x0040c4df
                                                            0x0040c4e2
                                                            0x0040c4e6
                                                            0x0040c4e8
                                                            0x0040c4f1
                                                            0x0040c4f1
                                                            0x00000000
                                                            0x0040c4e8
                                                            0x0040c394
                                                            0x0040c396
                                                            0x0040c398
                                                            0x0040c4f9
                                                            0x0040c4fc
                                                            0x0040c500
                                                            0x0040c502
                                                            0x0040c507
                                                            0x0040c507
                                                            0x0040c50d
                                                            0x0040c511
                                                            0x0040c516
                                                            0x0040c519
                                                            0x0040c51d
                                                            0x0040c51f
                                                            0x0040c524
                                                            0x0040c524
                                                            0x0040c527
                                                            0x0040c52a
                                                            0x0040c52e
                                                            0x0040c530
                                                            0x0040c535
                                                            0x0040c535
                                                            0x0040c538
                                                            0x0040c53b
                                                            0x0040c53f
                                                            0x0040c541
                                                            0x0040c54a
                                                            0x0040c54a
                                                            0x00000000
                                                            0x0040c541
                                                            0x0040c3a4
                                                            0x0040c3a5
                                                            0x0040c3aa
                                                            0x0040c3ad
                                                            0x0040c3b1
                                                            0x0040c3b3
                                                            0x0040c3b8
                                                            0x0040c3b8
                                                            0x0040c3be
                                                            0x0040c3c2
                                                            0x0040c3c7
                                                            0x0040c3ca
                                                            0x0040c3ce
                                                            0x0040c3d0
                                                            0x0040c3d5
                                                            0x0040c3d5
                                                            0x0040c3d8
                                                            0x0040c3db
                                                            0x0040c3df
                                                            0x0040c3e1
                                                            0x0040c3e6
                                                            0x0040c3e6
                                                            0x0040c3e9
                                                            0x0040c3ec
                                                            0x0040c3f0
                                                            0x0040c3f2
                                                            0x0040c3fb
                                                            0x0040c3fb
                                                            0x0040c195
                                                            0x0040c198
                                                            0x0040c198
                                                            0x0040c19b
                                                            0x0040c19e
                                                            0x0040c1a3
                                                            0x0040c1a7
                                                            0x0040c1a9
                                                            0x0040c1ac
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c1ac
                                                            0x0040c198
                                                            0x0040c376
                                                            0x0040c1d7
                                                            0x0040c1df
                                                            0x0040c1e6
                                                            0x0040c1f7
                                                            0x0040c203
                                                            0x0040c208
                                                            0x0040c20a
                                                            0x0040c20c
                                                            0x0040c409
                                                            0x0040c40c
                                                            0x00000000
                                                            0x0040c40c
                                                            0x0040c218
                                                            0x0040c21b
                                                            0x0040c226
                                                            0x0040c229
                                                            0x00000000
                                                            0x0040c229
                                                            0x0040c1c4
                                                            0x0040c1c4
                                                            0x0040c1c7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c1c7
                                                            0x0040c18b
                                                            0x0040c18b
                                                            0x0040c4ca
                                                            0x0040c4cd
                                                            0x0040c4dc
                                                            0x0040c4dc

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID:
                                                            • API String ID: 431132790-0
                                                            • Opcode ID: a745c68587d3e0408f990b5190218730a2044fcf4f7c6a4de919d18e6539e845
                                                            • Instruction ID: 9fa23c60ed07d988f1f076026fc7253265bc66fd5dd24872ef19871adf6ac9e0
                                                            • Opcode Fuzzy Hash: a745c68587d3e0408f990b5190218730a2044fcf4f7c6a4de919d18e6539e845
                                                            • Instruction Fuzzy Hash: 9FE16F30600249DFDF04DFA5C994AAE7BB8AF49318F1482A9E845EB3D1D738DE01DB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407148, Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 99%
                                                            			E00407148(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				intOrPtr _t105;
				void* _t108;
				unsigned int _t110;
				signed int _t112;
				intOrPtr _t126;
				void* _t146;
				intOrPtr _t158;
				signed int _t163;
				unsigned int _t166;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				void* _t177;

				_t158 = __edx;
				_push(0x10);
				E00416B21(E00421509, __ebx, __edi, __esi);
				_t126 = __ecx;
				if( *((intOrPtr*)(_t177 + 0x10)) != 4 ||  *((intOrPtr*)(_t177 + 0x1c)) != 1) {
					_t78 = 0x80070057;
				} else {
					if(E0040A8CF(__ecx + 0x10,  *((intOrPtr*)(__ecx + 0x4c8))) != 0) {
						_t81 = E0040A8CF(__ecx + 0x30,  *((intOrPtr*)(__ecx + 0x4cc)));
						__eflags = _t81;
						if(_t81 == 0) {
							goto L3;
						} else {
							_t82 = E0040A8CF(__ecx + 0x50,  *((intOrPtr*)(__ecx + 0x4d0)));
							__eflags = _t82;
							if(_t82 == 0) {
								goto L3;
							} else {
								_t160 = __ecx + 0x70;
								_t84 = E0040A8CF(__ecx + 0x70,  *((intOrPtr*)(__ecx + 0x4d4)));
								__eflags = _t84;
								if(_t84 == 0) {
									goto L3;
								} else {
									_t85 = E0040AB0A(__ecx + 0x4a0,  *((intOrPtr*)(__ecx + 0x4d8)));
									__eflags = _t85;
									if(_t85 == 0) {
										goto L3;
									} else {
										 *((intOrPtr*)(_t177 - 0x14)) = __ecx;
										_t169 =  *(_t177 + 8);
										 *(_t177 - 4) =  *(_t177 - 4) & 0x00000000;
										E0040A90A(__ecx + 0x10,  *( *(_t177 + 8)));
										E0040A90A(__ecx + 0x30,  *( *(_t177 + 8) + 4));
										E0040A90A(__ecx + 0x50,  *((intOrPtr*)( *(_t177 + 8) + 8)));
										E0040A90A(_t160,  *((intOrPtr*)(_t169 + 0xc)));
										E0040AB43(__ecx + 0x4a0,  *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x14)))));
										E0040A8A8(__ecx + 0x10);
										E0040A8A8(__ecx + 0x30);
										E0040A8A8(__ecx + 0x50);
										E00406F37(_t160, __eflags);
										E0040AAC9(__ecx + 0x4a0);
										_t28 = _t177 + 8;
										 *_t28 =  *(_t177 + 8) & 0x00000000;
										__eflags =  *_t28;
										memset(__ecx + 0x98, 0x400, 0x102 << 2);
										 *((char*)(_t177 + 0x14)) = 0;
										while(1) {
											L9:
											__eflags =  *(_t177 + 8) - 0x100000;
											if( *(_t177 + 8) < 0x100000) {
												goto L13;
											}
											L10:
											_t173 =  *(_t177 + 0x20);
											__eflags = _t173;
											if(_t173 == 0) {
												goto L13;
											} else {
												_t105 = E0040AAE1(_t126 + 0x4a0);
												 *((intOrPtr*)(_t177 - 0x1c)) = _t105;
												 *((intOrPtr*)(_t177 - 0x18)) = _t158;
												_t101 =  *((intOrPtr*)( *_t173 + 0xc))(_t173, 0, _t177 - 0x1c);
												__eflags = _t101;
												if(_t101 != 0) {
													L26:
													_t172 = _t101;
												} else {
													_t40 = _t177 + 8;
													 *_t40 =  *(_t177 + 8) & _t101;
													__eflags =  *_t40;
													goto L13;
												}
											}
											L27:
											 *(_t177 - 4) =  *(_t177 - 4) | 0xffffffff;
											E0040710D(_t126);
											_t78 = _t172;
											goto L31;
											L13:
											 *((char*)(_t177 + 0x1c)) = 0;
											_t171 = 0;
											__eflags = 0;
											while(1) {
												_t100 = E00406EF1(_t126 + 0x10, _t177 + 0x1c);
												_t146 = _t126 + 0x4a0;
												__eflags = _t100;
												if(_t100 == 0) {
													break;
												}
												E00406F16(_t126, _t146,  *((intOrPtr*)(_t177 + 0x1c)));
												_t104 = E00406F8F( *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t177 + 0x1c)));
												__eflags = _t104;
												if(_t104 != 0) {
													L17:
													 *(_t177 + 8) =  *(_t177 + 8) + _t171;
													__eflags = _t171 - 0x40000;
													if(_t171 == 0x40000) {
														L9:
														__eflags =  *(_t177 + 8) - 0x100000;
														if( *(_t177 + 8) < 0x100000) {
															goto L13;
														}
													} else {
														L18:
														_t108 = E00406FFF(_t126 + 0x98 + E00406FB4( *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t177 + 0x1c))) * 4, _t126 + 0x70);
														__eflags = _t108 - 1;
														if(_t108 != 1) {
															 *((char*)(_t177 + 0x14)) =  *((intOrPtr*)(_t177 + 0x1c));
															do {
																goto L9;
															} while (_t171 == 0x40000);
															goto L18;
														} else {
															_t163 = 0;
															__eflags =  *((char*)(_t177 + 0x1c)) - 0xe8;
															_t110 = _t126 + 0x30;
															if( *((char*)(_t177 + 0x1c)) != 0xe8) {
																_t110 = _t126 + 0x50;
															}
															 *(_t177 - 0x10) = _t110;
															_t174 = 0;
															__eflags = 0;
															while(1) {
																_t112 = E00406EF1( *(_t177 - 0x10), _t177 + 0x13);
																__eflags = _t112;
																if(_t112 == 0) {
																	break;
																}
																_t163 = _t163 << 0x00000008 |  *(_t177 + 0x13) & 0x000000ff;
																_t174 = _t174 + 1;
																__eflags = _t174 - 4;
																if(_t174 < 4) {
																	continue;
																} else {
																	_t176 = _t126 + 0x4a0;
																	_t166 = _t163 - E0040AAE1(_t126 + 0x4a0) - 4;
																	E00406F16(_t126, _t126 + 0x4a0, _t166);
																	E00406F16(_t126, _t126 + 0x4a0, _t166 >> 8);
																	E00406F16(_t126, _t176, _t166 >> 0x10);
																	 *(_t177 - 0x10) = _t166 >> 0x18;
																	E00406F16(_t126, _t176, _t166 >> 0x18);
																	 *(_t177 + 8) =  *(_t177 + 8) + 4;
																	 *((char*)(_t177 + 0x14)) =  *(_t177 - 0x10);
																	while(1) {
																		L9:
																		__eflags =  *(_t177 + 8) - 0x100000;
																		if( *(_t177 + 8) < 0x100000) {
																			goto L13;
																		}
																		goto L10;
																	}
																}
																goto L27;
															}
															_t172 = 1;
														}
													}
												} else {
													_t171 = _t171 + 1;
													 *((char*)(_t177 + 0x14)) =  *((intOrPtr*)(_t177 + 0x1c));
													__eflags = _t171 - 0x40000;
													if(_t171 < 0x40000) {
														continue;
													} else {
														goto L17;
													}
												}
												goto L27;
											}
											_t101 = E0040ABDB(_t146);
											goto L26;
										}
									}
								}
							}
						}
					} else {
						L3:
						_t78 = 0x8007000e;
					}
				}
				L31:
				return E00416BF9(_t78);
			}

























                                                            0x00407148
                                                            0x00407148
                                                            0x0040714f
                                                            0x00407154
                                                            0x0040715a
                                                            0x004073ba
                                                            0x0040716a
                                                            0x0040717a
                                                            0x0040718f
                                                            0x00407194
                                                            0x00407196
                                                            0x00000000
                                                            0x00407198
                                                            0x004071a1
                                                            0x004071a6
                                                            0x004071a8
                                                            0x00000000
                                                            0x004071aa
                                                            0x004071b0
                                                            0x004071b6
                                                            0x004071bb
                                                            0x004071bd
                                                            0x00000000
                                                            0x004071bf
                                                            0x004071cb
                                                            0x004071d0
                                                            0x004071d2
                                                            0x00000000
                                                            0x004071d4
                                                            0x004071d4
                                                            0x004071d7
                                                            0x004071dc
                                                            0x004071e3
                                                            0x004071ee
                                                            0x004071f9
                                                            0x00407203
                                                            0x00407215
                                                            0x0040721d
                                                            0x00407225
                                                            0x0040722d
                                                            0x00407234
                                                            0x0040723b
                                                            0x00407240
                                                            0x00407240
                                                            0x00407240
                                                            0x00407254
                                                            0x00407256
                                                            0x0040725a
                                                            0x0040725a
                                                            0x0040725a
                                                            0x00407261
                                                            0x00000000
                                                            0x00000000
                                                            0x00407263
                                                            0x00407263
                                                            0x00407266
                                                            0x00407268
                                                            0x00000000
                                                            0x0040726a
                                                            0x00407270
                                                            0x0040727b
                                                            0x00407281
                                                            0x00407284
                                                            0x00407287
                                                            0x00407289
                                                            0x0040739d
                                                            0x0040739d
                                                            0x0040728f
                                                            0x0040728f
                                                            0x0040728f
                                                            0x0040728f
                                                            0x00000000
                                                            0x0040728f
                                                            0x00407289
                                                            0x0040739f
                                                            0x0040739f
                                                            0x004073a5
                                                            0x004073aa
                                                            0x00000000
                                                            0x00407292
                                                            0x00407292
                                                            0x00407296
                                                            0x00407296
                                                            0x00407298
                                                            0x0040729f
                                                            0x004072a4
                                                            0x004072aa
                                                            0x004072ac
                                                            0x00000000
                                                            0x00000000
                                                            0x004072b5
                                                            0x004072c0
                                                            0x004072c5
                                                            0x004072c7
                                                            0x004072d8
                                                            0x004072d8
                                                            0x004072db
                                                            0x004072e1
                                                            0x0040725a
                                                            0x0040725a
                                                            0x00407261
                                                            0x00000000
                                                            0x00000000
                                                            0x004072e7
                                                            0x004072e7
                                                            0x004072fd
                                                            0x00407302
                                                            0x00407305
                                                            0x00407395
                                                            0x0040725a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040730b
                                                            0x0040730b
                                                            0x0040730d
                                                            0x00407311
                                                            0x00407314
                                                            0x00407316
                                                            0x00407316
                                                            0x00407319
                                                            0x0040731c
                                                            0x0040731c
                                                            0x0040731e
                                                            0x00407325
                                                            0x0040732a
                                                            0x0040732c
                                                            0x00000000
                                                            0x00000000
                                                            0x00407339
                                                            0x0040733b
                                                            0x0040733c
                                                            0x0040733f
                                                            0x00000000
                                                            0x00407341
                                                            0x00407341
                                                            0x00407350
                                                            0x00407356
                                                            0x00407363
                                                            0x00407370
                                                            0x0040737b
                                                            0x0040737e
                                                            0x00407386
                                                            0x0040738a
                                                            0x0040725a
                                                            0x0040725a
                                                            0x0040725a
                                                            0x00407261
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00407261
                                                            0x0040725a
                                                            0x00000000
                                                            0x0040733f
                                                            0x004073b7
                                                            0x004073b7
                                                            0x00407305
                                                            0x004072c9
                                                            0x004072cc
                                                            0x004072cd
                                                            0x004072d0
                                                            0x004072d6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004072d6
                                                            0x00000000
                                                            0x004072c7
                                                            0x004073ae
                                                            0x00000000
                                                            0x004073ae
                                                            0x0040725a
                                                            0x004071d2
                                                            0x004071bd
                                                            0x004071a8
                                                            0x0040717c
                                                            0x0040717c
                                                            0x0040717c
                                                            0x0040717c
                                                            0x0040717a
                                                            0x004073bf
                                                            0x004073c4

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID:
                                                            • API String ID: 431132790-0
                                                            • Opcode ID: 094f822e556a98e56eb2db85d0f01294e4a17ea916421102d3e624c15ae0b408
                                                            • Instruction ID: 7191734e02ba6b0490eaad6bba1f0a6d97c017ddc93a550bea6bd24f0e2c9c2a
                                                            • Opcode Fuzzy Hash: 094f822e556a98e56eb2db85d0f01294e4a17ea916421102d3e624c15ae0b408
                                                            • Instruction Fuzzy Hash: 8061C2319002068BCF05EF25C881AAE3765AF50308F04407EFD567B2D3DB3CA926DB9A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004135E5, Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E004135E5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				void* _t74;
				void* _t78;
				void* _t82;
				void* _t86;
				intOrPtr _t93;
				intOrPtr _t110;
				void* _t113;
				void* _t129;
				void* _t131;
				void* _t133;
				intOrPtr _t139;
				void* _t156;
				char* _t158;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr* _t165;
				void* _t170;

				_t170 = __eflags;
				_t160 = __esi;
				_t156 = __edx;
				_push(0x70);
				E00416B21(E0042220A, __ebx, __edi, __esi);
				_t158 =  *((intOrPtr*)(_t165 + 0x30));
				 *_t158 = 0;
				E004134F7(0, _t165 - 0x7c, _t158, __esi, _t170);
				 *(_t165 - 4) = 0;
				_t74 = E0040C825(_t165 - 0x7c, _t165 + 0xc, 0xa);
				 *(_t165 - 4) = 1;
				E00408639(0x43060c, _t165, _t74);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, __esi, _t170);
				_pop(_t129);
				_t78 = E0040C825(_t129, _t165 + 0xc, 0x18);
				 *(_t165 - 4) = 2;
				E00408639(0x430618, _t165, _t78);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, __esi, _t170);
				_pop(_t131);
				_t82 = E0040C825(_t131, _t165 + 0xc, 0x19);
				 *(_t165 - 4) = 3;
				E00408639(0x430624, _t165, _t82);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, _t160, _t170);
				_pop(_t133);
				_t86 = E0040C825(_t133, _t165 + 0xc, 0x1a);
				 *(_t165 - 4) = 4;
				E00408639(0x430630, _t165, _t86);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, _t160, _t170);
				 *((intOrPtr*)(_t165 - 0x7c)) =  *((intOrPtr*)(_t165 + 0x20));
				E00408639(_t165 - 0x78, _t165,  *((intOrPtr*)(_t165 + 0x24)));
				E00408639(_t165 - 0x6c, _t165,  *((intOrPtr*)(_t165 + 0x28)));
				_t139 = E00408BD0(0, _t158, _t170, 0x140);
				 *((intOrPtr*)(_t165 + 0x30)) = _t139;
				 *(_t165 - 4) = 5;
				_t171 = _t139;
				if(_t139 == 0) {
					_t93 = 0;
					__eflags = 0;
				} else {
					_t93 = E0041310D(0, _t139, _t158, _t160, _t171);
				}
				 *(_t165 - 4) = 0;
				 *((intOrPtr*)(_t165 - 0x60)) = _t93;
				E00406200(_t165 - 0x5c, _t93);
				_t161 =  *((intOrPtr*)(_t165 + 0x3c));
				 *((char*)( *((intOrPtr*)(_t165 - 0x60)) + 0x120)) = E00408639( *((intOrPtr*)(_t165 - 0x60)) + 0x124, _t165, _t161) & 0xffffff00 |  *((intOrPtr*)(_t161 + 4)) != 0x00000000;
				 *((char*)( *((intOrPtr*)(_t165 - 0x60)) + 0x139)) =  *((intOrPtr*)(_t165 + 0x40));
				if( *((intOrPtr*)(_t165 + 0x2c)) == 0) {
					E00413320(0, _t165 - 0x7c, _t156, _t158, _t161, __eflags);
					goto L9;
				} else {
					 *((intOrPtr*)(_t165 + 0x40)) = 0;
					 *(_t165 - 4) = 6;
					_t110 = E0040FC50(_t156, _t161, _t165 + 0x40, E004134E9, _t165 - 0x7c); // executed
					_t163 = _t110;
					_t174 = _t163;
					if(_t163 == 0) {
						E0040320A(_t165 + 0xc);
						 *(_t165 - 4) = 7;
						_t113 = E0040C825(_t165 + 0xc, _t165, 0x45);
						 *(_t165 - 4) = 8;
						E00408639(_t165 + 0xc, _t165, _t113);
						_push( *_t165);
						 *(_t165 - 4) = 7;
						L00408BFB(0, _t158, _t163, __eflags);
						E004130B7(0,  *((intOrPtr*)(_t165 - 0x60)), _t158, __eflags, _t165 + 0xc, _t165 + 0x40); // executed
						_push( *((intOrPtr*)(_t165 + 0xc)));
						L00408BFB(0, _t158, _t163, __eflags);
						 *(_t165 - 4) = 0;
						E0040FC1B(_t165 + 0x40);
						L9:
						_t162 =  *((intOrPtr*)(_t165 + 0x34));
						E00408639(_t162, _t165, _t165 - 0x18);
						__eflags =  *((intOrPtr*)(_t162 + 4));
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t165 - 0x60)) + 0x114;
							E00408639(_t162, _t165,  *((intOrPtr*)(_t165 - 0x60)) + 0x114);
						}
						_t163 =  *((intOrPtr*)(_t165 - 0x1c));
						 *_t158 =  *((intOrPtr*)( *((intOrPtr*)(_t165 - 0x60)) + 0x110));
						L6:
						 *(_t165 - 4) =  *(_t165 - 4) | 0xffffffff;
						E0041353C(_t165 - 0x7c, _t163, _t174); // executed
						 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0xc));
						return _t163;
					}
					E0040FC1B(_t165 + 0x40);
					goto L6;
				}
			}






















                                                            0x004135e5
                                                            0x004135e5
                                                            0x004135e5
                                                            0x004135e9
                                                            0x004135f0
                                                            0x004135f5
                                                            0x004135fd
                                                            0x004135ff
                                                            0x0041360a
                                                            0x0041360d
                                                            0x00413618
                                                            0x0041361c
                                                            0x00413621
                                                            0x00413624
                                                            0x00413627
                                                            0x0041362c
                                                            0x00413633
                                                            0x0041363e
                                                            0x00413642
                                                            0x00413647
                                                            0x0041364a
                                                            0x0041364d
                                                            0x00413652
                                                            0x00413659
                                                            0x00413664
                                                            0x00413668
                                                            0x0041366d
                                                            0x00413670
                                                            0x00413673
                                                            0x00413678
                                                            0x0041367f
                                                            0x0041368a
                                                            0x0041368e
                                                            0x00413693
                                                            0x00413696
                                                            0x00413699
                                                            0x004136a8
                                                            0x004136ab
                                                            0x004136b6
                                                            0x004136c6
                                                            0x004136c8
                                                            0x004136cb
                                                            0x004136cf
                                                            0x004136d1
                                                            0x004136da
                                                            0x004136da
                                                            0x004136d3
                                                            0x004136d3
                                                            0x004136d3
                                                            0x004136e0
                                                            0x004136e3
                                                            0x004136e6
                                                            0x004136ee
                                                            0x00413706
                                                            0x00413712
                                                            0x0041371b
                                                            0x004137c7
                                                            0x00000000
                                                            0x00413721
                                                            0x00413721
                                                            0x00413731
                                                            0x00413735
                                                            0x0041373a
                                                            0x0041373c
                                                            0x0041373e
                                                            0x0041376f
                                                            0x0041377a
                                                            0x0041377e
                                                            0x00413787
                                                            0x0041378b
                                                            0x00413790
                                                            0x00413793
                                                            0x00413797
                                                            0x004137a8
                                                            0x004137ad
                                                            0x004137b0
                                                            0x004137ba
                                                            0x004137bd
                                                            0x004137cc
                                                            0x004137cc
                                                            0x004137d5
                                                            0x004137da
                                                            0x004137dd
                                                            0x004137e2
                                                            0x004137ea
                                                            0x004137ea
                                                            0x004137f8
                                                            0x004137fb
                                                            0x00413749
                                                            0x00413749
                                                            0x00413750
                                                            0x0041375a
                                                            0x00413769
                                                            0x00413769
                                                            0x00413744
                                                            0x00000000
                                                            0x00413744

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 004135F0
                                                              • Part of subcall function 004134F7: __EH_prolog3.LIBCMT ref: 004134FE
                                                              • Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                              • Part of subcall function 0041310D: __EH_prolog3.LIBCMT ref: 00413114
                                                              • Part of subcall function 004130B7: ShowWindow.USER32(?,00000001,00000000,?,?,00000000), ref: 00413100
                                                              • Part of subcall function 0040FC1B: FindCloseChangeNotification.KERNELBASE(?,?,00401769,?,?,00401A40,?,?,?), ref: 0040FC27
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$ChangeCloseException@8FindNotificationShowThrowWindow_malloc
                                                            • String ID:
                                                            • API String ID: 3148577082-0
                                                            • Opcode ID: 1cecaef1887d38932e9bad06ee4af9241c213ef7cd2f675f6b92a21c1f164fe3
                                                            • Instruction ID: 32821a47a4495b02cd0ca02b977b7952fd0f103a46899cb1509da0f48fa3398e
                                                            • Opcode Fuzzy Hash: 1cecaef1887d38932e9bad06ee4af9241c213ef7cd2f675f6b92a21c1f164fe3
                                                            • Instruction Fuzzy Hash: 6261C37190028CEFCF01EFA4C856ADD7BB4AF19314F14806FF954A7282DA3C9A09CB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403975, Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E00403975(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t69;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t93;
				intOrPtr _t96;
				char* _t119;
				intOrPtr* _t121;
				void* _t122;

				E00416BC0(E00421040, __ebx, __edi, __esi);
				_t121 =  *((intOrPtr*)(_t122 + 8));
				_t96 =  *((intOrPtr*)(_t122 + 0x14));
				 *((intOrPtr*)(_t122 - 0x70)) =  *((intOrPtr*)(_t122 + 0xc));
				 *((intOrPtr*)(_t122 - 0x74)) =  *((intOrPtr*)(_t122 + 0x10));
				_t118 = 0;
				 *((intOrPtr*)(_t122 - 0x78)) = _t121;
				 *((intOrPtr*)(_t122 - 4)) = 0;
				 *((intOrPtr*)( *_t121 + 0x10))(_t121, 0x78);
				 *((char*)(_t122 - 4)) = 1;
				E0040222C(_t122 - 0x6c, _t96);
				 *((intOrPtr*)(_t122 - 0x68)) = 0;
				 *((char*)(_t122 - 4)) = 3;
				_t124 = _t96;
				if(_t96 != 0) {
					_t93 =  *((intOrPtr*)(_t122 - 0x6c));
					_t116 = _t122 - 0x68;
					 *((intOrPtr*)( *_t93))(_t93, 0x424174, _t122 - 0x68);
				}
				 *((intOrPtr*)(_t122 - 0x64)) = _t118;
				 *((intOrPtr*)(_t122 - 0x5c)) = _t118;
				 *((intOrPtr*)(_t122 - 0x58)) = _t118;
				 *((intOrPtr*)(_t122 - 0x54)) = _t118;
				 *((intOrPtr*)(_t122 - 0x50)) = 4;
				 *((intOrPtr*)(_t122 - 0x60)) = 0x4234bc;
				_push( *((intOrPtr*)(_t122 - 0x74)));
				 *((char*)(_t122 - 4)) = 4;
				_t97 = E0040469F(_t96, _t122 - 0x64, _t122, _t124,  *((intOrPtr*)(_t122 - 0x70)));
				_t125 = _t97 - _t118;
				if(_t97 == _t118) {
					_t119 = _t121 + 0x1e0;
					 *_t119 = 0;
					E0040320A(_t122 - 0x84);
					_push(_t119);
					_push( *((intOrPtr*)(_t122 - 0x68)));
					_t97 = _t121 + 0x10;
					_push(_t121 + 0x10);
					 *((char*)(_t122 - 4)) = 5;
					_t69 = E004060EC(_t122 - 0x64, __eflags); // executed
					_t118 = _t69;
					__eflags = _t69;
					if(__eflags == 0) {
						E0040309E(_t97, _t97, _t116, __eflags);
						E00406200(_t121 + 8,  *((intOrPtr*)(_t122 - 0x70)));
						_push( *((intOrPtr*)(_t122 - 0x84)));
						L00408BFB(_t97, _t118, _t121, __eflags);
						 *((char*)(_t122 - 4)) = 3;
						E004037B0(_t122 - 0x64, _t121, __eflags);
						_t74 =  *((intOrPtr*)(_t122 - 0x68));
						 *((char*)(_t122 - 4)) = 2;
						__eflags = _t74;
						if(_t74 != 0) {
							 *((intOrPtr*)( *_t74 + 8))(_t74);
						}
						_t75 =  *((intOrPtr*)(_t122 - 0x6c));
						 *((char*)(_t122 - 4)) = 1;
						__eflags = _t75;
						if(_t75 != 0) {
							 *((intOrPtr*)( *_t75 + 8))(_t75);
						}
					} else {
						_push( *((intOrPtr*)(_t122 - 0x84)));
						L00408BFB(_t97, _t118, _t121, __eflags);
						 *((char*)(_t122 - 4)) = 3;
						E004037B0(_t122 - 0x64, _t121, __eflags);
						_t82 =  *((intOrPtr*)(_t122 - 0x68));
						 *((char*)(_t122 - 4)) = 2;
						__eflags = _t82;
						if(_t82 != 0) {
							 *((intOrPtr*)( *_t82 + 8))(_t82);
						}
						_t83 =  *((intOrPtr*)(_t122 - 0x6c));
						 *((char*)(_t122 - 4)) = 1;
						__eflags = _t83;
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
					}
				} else {
					 *((char*)(_t122 - 4)) = 3;
					E004037B0(_t122 - 0x64, _t121, _t125);
					_t88 =  *((intOrPtr*)(_t122 - 0x68));
					 *((char*)(_t122 - 4)) = 2;
					if(_t88 != _t118) {
						 *((intOrPtr*)( *_t88 + 8))(_t88);
					}
					_t89 =  *((intOrPtr*)(_t122 - 0x6c));
					 *((char*)(_t122 - 4)) = 1;
					if(_t89 != _t118) {
						 *((intOrPtr*)( *_t89 + 8))(_t89);
					}
				}
				return E00416C1C(_t97, _t118, _t121);
			}















                                                            0x0040397c
                                                            0x00403984
                                                            0x00403987
                                                            0x0040398a
                                                            0x00403990
                                                            0x00403995
                                                            0x00403998
                                                            0x0040399b
                                                            0x0040399e
                                                            0x004039a5
                                                            0x004039a9
                                                            0x004039ae
                                                            0x004039b1
                                                            0x004039b5
                                                            0x004039b7
                                                            0x004039b9
                                                            0x004039be
                                                            0x004039c8
                                                            0x004039c8
                                                            0x004039ca
                                                            0x004039cd
                                                            0x004039d0
                                                            0x004039d3
                                                            0x004039d6
                                                            0x004039dd
                                                            0x004039e4
                                                            0x004039ed
                                                            0x004039f6
                                                            0x004039f8
                                                            0x004039fa
                                                            0x00403a31
                                                            0x00403a3d
                                                            0x00403a40
                                                            0x00403a45
                                                            0x00403a46
                                                            0x00403a49
                                                            0x00403a4c
                                                            0x00403a50
                                                            0x00403a54
                                                            0x00403a59
                                                            0x00403a5b
                                                            0x00403a5d
                                                            0x00403a9f
                                                            0x00403aaa
                                                            0x00403aaf
                                                            0x00403ab5
                                                            0x00403abe
                                                            0x00403ac2
                                                            0x00403ac7
                                                            0x00403aca
                                                            0x00403ace
                                                            0x00403ad0
                                                            0x00403ad5
                                                            0x00403ad5
                                                            0x00403ad8
                                                            0x00403adb
                                                            0x00403adf
                                                            0x00403ae1
                                                            0x00403ae6
                                                            0x00403ae6
                                                            0x00403a5f
                                                            0x00403a5f
                                                            0x00403a65
                                                            0x00403a6e
                                                            0x00403a72
                                                            0x00403a77
                                                            0x00403a7a
                                                            0x00403a7e
                                                            0x00403a80
                                                            0x00403a85
                                                            0x00403a85
                                                            0x00403a88
                                                            0x00403a8b
                                                            0x00403a8f
                                                            0x00403a91
                                                            0x00403a96
                                                            0x00403a96
                                                            0x00403a99
                                                            0x004039fc
                                                            0x004039ff
                                                            0x00403a03
                                                            0x00403a08
                                                            0x00403a0b
                                                            0x00403a11
                                                            0x00403a16
                                                            0x00403a16
                                                            0x00403a19
                                                            0x00403a1c
                                                            0x00403a22
                                                            0x00403a27
                                                            0x00403a27
                                                            0x00403a2a
                                                            0x00403b11

                                                            APIs
                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 0040397C
                                                              • Part of subcall function 004060EC: __EH_prolog3_catch.LIBCMT ref: 004060F3
                                                              • Part of subcall function 004037B0: __EH_prolog3.LIBCMT ref: 004037B7
                                                              • Part of subcall function 004037B0: ~_Task_impl.LIBCPMT ref: 004037C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3H_prolog3_catchH_prolog3_catch_Task_impl
                                                            • String ID:
                                                            • API String ID: 3316410470-0
                                                            • Opcode ID: e2295fb80c2056a44aec580e3b47a8f3124a2c9b0920453268770037ce4861f1
                                                            • Instruction ID: 0df43bebe7c24eb3054dd4c9a2fea3a8a503b60659171841bb980735a1a66d0f
                                                            • Opcode Fuzzy Hash: e2295fb80c2056a44aec580e3b47a8f3124a2c9b0920453268770037ce4861f1
                                                            • Instruction Fuzzy Hash: FB516D70A00349DFDB01DFE5C548A9DBFB8AF55308F24409EE44ABB382DB799A45CB15
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410C9B, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E00410C9B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t38;
				void* _t42;
				intOrPtr _t47;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t57;
				void* _t75;
				intOrPtr _t76;
				void* _t77;

				_t77 = __eflags;
				_t72 = __edi;
				_t71 = __edx;
				_push(0x60);
				E00416B21(E00421CDA, __ebx, __edi, __esi);
				E0040320A(_t75 - 0x44);
				_t74 =  *((intOrPtr*)(_t75 + 8));
				_push(0x5c);
				_push( *((intOrPtr*)(_t75 + 8)));
				_t57 = 0;
				_push(_t75 - 0x18);
				 *((intOrPtr*)(_t75 - 4)) = 0;
				E00410931(0, __edx, __edi, _t74, _t77);
				_push(0x2a);
				_push(_t75 - 0x18);
				_push(_t75 - 0x24);
				 *((char*)(_t75 - 4)) = 1;
				_push(E00410931(0, __edx, _t72, _t74, _t77));
				 *((char*)(_t75 - 4)) = 2;
				E00410971(0, _t75 - 0x34, _t72, _t74, _t77);
				_push( *((intOrPtr*)(_t75 - 0x24)));
				 *((char*)(_t75 - 4)) = 4;
				L00408BFB(0, _t72, _t74, _t77);
				while(1) {
					_t38 = E004093F7(_t75 - 0x34, _t75, _t75 - 0x6c);
					_t78 = _t38;
					if(_t38 == 0) {
						break;
					}
					_push(_t75 - 0x6c);
					_t76 = _t76 - 0xc;
					 *((intOrPtr*)(_t75 + 8)) = _t76;
					E00404082(_t76, _t75, _t75 - 0x18); // executed
					_t42 = E00410C2B(_t57, _t71, __eflags); // executed
					__eflags = _t42 - _t57;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(_t75 - 0x30)));
						 *((char*)(_t75 - 4)) = 1;
						L00408BFB(_t57, _t72, _t74, __eflags);
						E004091A4(_t75 - 0x34);
						_push( *((intOrPtr*)(_t75 - 0x18)));
						L00408BFB(_t57, _t72, _t74, __eflags);
						_push( *((intOrPtr*)(_t75 - 0x44)));
						L00408BFB(_t57, _t72, _t74, __eflags);
						_t47 = 0;
					} else {
						continue;
					}
					L5:
					return E00416BF9(_t47);
				}
				_push( *((intOrPtr*)(_t75 - 0x30)));
				 *((char*)(_t75 - 4)) = 1;
				L00408BFB(_t57, _t72, _t74, _t78);
				E004091A4(_t75 - 0x34);
				_t52 = E00410A7A(_t57, _t72, _t74, _t78,  *_t74, _t57); // executed
				_t79 = _t52;
				if(_t52 != 0) {
					_t53 = E00410AE4(_t57, _t72, _t74, __eflags,  *_t74); // executed
					_t57 = _t53;
				}
				_push( *((intOrPtr*)(_t75 - 0x18)));
				L00408BFB(_t57, _t72, _t74, _t79);
				_push( *((intOrPtr*)(_t75 - 0x44)));
				L00408BFB(_t57, _t72, _t74, _t79);
				_t47 = _t57;
				goto L5;
			}












                                                            0x00410c9b
                                                            0x00410c9b
                                                            0x00410c9b
                                                            0x00410c9b
                                                            0x00410ca2
                                                            0x00410caa
                                                            0x00410caf
                                                            0x00410cb2
                                                            0x00410cb4
                                                            0x00410cb8
                                                            0x00410cba
                                                            0x00410cbb
                                                            0x00410cbe
                                                            0x00410cc3
                                                            0x00410cc8
                                                            0x00410ccc
                                                            0x00410ccd
                                                            0x00410cd6
                                                            0x00410cda
                                                            0x00410cde
                                                            0x00410ce3
                                                            0x00410ce6
                                                            0x00410cea
                                                            0x00410d10
                                                            0x00410d17
                                                            0x00410d1c
                                                            0x00410d1e
                                                            0x00000000
                                                            0x00000000
                                                            0x00410cf5
                                                            0x00410cf6
                                                            0x00410cfe
                                                            0x00410d02
                                                            0x00410d07
                                                            0x00410d0c
                                                            0x00410d0e
                                                            0x00410d5e
                                                            0x00410d61
                                                            0x00410d65
                                                            0x00410d6e
                                                            0x00410d73
                                                            0x00410d76
                                                            0x00410d7b
                                                            0x00410d7e
                                                            0x00410d85
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00410d56
                                                            0x00410d5b
                                                            0x00410d5b
                                                            0x00410d20
                                                            0x00410d23
                                                            0x00410d27
                                                            0x00410d30
                                                            0x00410d39
                                                            0x00410d3e
                                                            0x00410d40
                                                            0x00410d8b
                                                            0x00410d90
                                                            0x00410d90
                                                            0x00410d42
                                                            0x00410d45
                                                            0x00410d4a
                                                            0x00410d4d
                                                            0x00410d54
                                                            0x00000000

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410CA2
                                                              • Part of subcall function 00410931: __EH_prolog3.LIBCMT ref: 00410938
                                                              • Part of subcall function 00410971: __EH_prolog3.LIBCMT ref: 00410978
                                                              • Part of subcall function 004091A4: FindClose.KERNELBASE ref: 004091AF
                                                              • Part of subcall function 00410AE4: __EH_prolog3.LIBCMT ref: 00410AEB
                                                              • Part of subcall function 00410AE4: RemoveDirectoryW.KERNELBASE(?,0000000C), ref: 00410AF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$CloseDirectoryFindRemove
                                                            • String ID:
                                                            • API String ID: 1902238476-0
                                                            • Opcode ID: 4fbb5a808f8d1446f06ffaa4c05493f735c7c2265915495fb556f648af173519
                                                            • Instruction ID: a3cc244adccf2e4cac89145f1c327d215d4d92245b22a372655b58a5773b09a4
                                                            • Opcode Fuzzy Hash: 4fbb5a808f8d1446f06ffaa4c05493f735c7c2265915495fb556f648af173519
                                                            • Instruction Fuzzy Hash: E52181B1804108AEDF00FBE5DA52ADE7BB89F14318F10406FF580771D3DEB96AC59A69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411EC8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00411EC8(void* __ecx, void* __edx) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _t25;
				signed int _t27;
				void* _t35;
				signed int _t37;
				void* _t39;

				_t35 = __edx;
				_t39 = __ecx;
				_t36 = __ecx + 0x58;
				if(E00411CFC(__ecx + 0x58) == 0) {
					E00411E99(__ecx);
					E00411D6E(_t36,  &_v20,  &_v12);
					_t37 = _v20;
					_t27 = _v16;
					if(_t37 !=  *((intOrPtr*)(__ecx + 0x40)) || _t27 !=  *((intOrPtr*)(__ecx + 0x44))) {
						E00411DDF(_t39, _t37, _t27);
					}
					E00411E2A(_t39, _v12, _v8); // executed
					if((_t37 | _t27) == 0) {
						_t37 = 1;
						_t27 = 0;
					}
					_t25 = E00417E00(E004176B0(_v12, _v8, 0x64, 0), _t35, _t37, _t27);
					if(_t25 !=  *((intOrPtr*)(_t39 + 0x4c))) {
						 *((intOrPtr*)(_t39 + 0x4c)) = _t25;
					}
				}
				return 1;
			}












                                                            0x00411ec8
                                                            0x00411ecf
                                                            0x00411ed2
                                                            0x00411ede
                                                            0x00411ee3
                                                            0x00411ef2
                                                            0x00411ef7
                                                            0x00411efa
                                                            0x00411f00
                                                            0x00411f0b
                                                            0x00411f0b
                                                            0x00411f18
                                                            0x00411f21
                                                            0x00411f25
                                                            0x00411f26
                                                            0x00411f26
                                                            0x00411f3b
                                                            0x00411f44
                                                            0x00411f46
                                                            0x00411f46
                                                            0x00411f44
                                                            0x00411f4e

                                                            APIs
                                                              • Part of subcall function 00411CFC: EnterCriticalSection.KERNEL32(?,?,?,?,00411EDC), ref: 00411D05
                                                              • Part of subcall function 00411CFC: LeaveCriticalSection.KERNEL32(?,?,?,00411EDC), ref: 00411D0F
                                                              • Part of subcall function 00411E99: PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00411EAE
                                                              • Part of subcall function 00411D6E: EnterCriticalSection.KERNEL32(?,?,?,00411EF7,?,?), ref: 00411D76
                                                              • Part of subcall function 00411D6E: LeaveCriticalSection.KERNEL32(?,?,00411EF7,?,?), ref: 00411D9B
                                                            • __aulldiv.LIBCMT ref: 00411F3B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$MessagePost__aulldiv
                                                            • String ID:
                                                            • API String ID: 3743465594-0
                                                            • Opcode ID: a8577b5923c133be84352f7fc4ff1d46fad0c7c12c13c5344a69fe3690ba1475
                                                            • Instruction ID: 519ab6dd52a514ac1fada1918d288c045c626b422648050e404c23596e31d368
                                                            • Opcode Fuzzy Hash: a8577b5923c133be84352f7fc4ff1d46fad0c7c12c13c5344a69fe3690ba1475
                                                            • Instruction Fuzzy Hash: A8016175700214ABDB21AB968C819FFB7BEAB84714F00045BF642A3661D779BD828668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A912, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0040A912(intOrPtr* __ecx, void* __edi) {
				char _v8;
				char _v12;
				intOrPtr* _t21;
				char _t22;
				intOrPtr _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t39;

				_push(__ecx);
				_push(__ecx);
				_t39 = __ecx;
				if( *((char*)(__ecx + 0x1c)) == 0) {
					_t30 =  *((intOrPtr*)(__ecx + 8));
					asm("cdq");
					 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(__ecx + 0x10)) +  *__ecx - _t30;
					_t21 =  *((intOrPtr*)(__ecx + 0xc));
					asm("adc [esi+0x14], edx");
					_t22 =  *((intOrPtr*)( *_t21 + 0xc))(_t21, _t30,  *((intOrPtr*)(__ecx + 0x18)),  &_v12, __edi);
					if(_t22 != 0) {
						_v8 = _t22;
						E004166E0( &_v8, 0x4295d4);
					}
					_t23 =  *((intOrPtr*)(_t39 + 8));
					_t31 = _v12;
					 *_t39 = _t23;
					_t24 = _t23 + _t31;
					 *(_t39 + 4) = _t24;
					_t25 = _t24 & 0xffffff00 | _t31 == 0x00000000;
					 *(_t39 + 0x1c) = _t25;
					_t26 = 0 | _t25 == 0x00000000;
				} else {
					_t26 = 0;
				}
				return _t26;
			}














                                                            0x0040a915
                                                            0x0040a916
                                                            0x0040a918
                                                            0x0040a91e
                                                            0x0040a924
                                                            0x0040a92c
                                                            0x0040a92d
                                                            0x0040a930
                                                            0x0040a936
                                                            0x0040a941
                                                            0x0040a947
                                                            0x0040a949
                                                            0x0040a955
                                                            0x0040a955
                                                            0x0040a95a
                                                            0x0040a95d
                                                            0x0040a960
                                                            0x0040a962
                                                            0x0040a966
                                                            0x0040a969
                                                            0x0040a973
                                                            0x0040a976
                                                            0x0040a920
                                                            0x0040a920
                                                            0x0040a920
                                                            0x0040a97a

                                                            APIs
                                                            • __CxxThrowException@8.LIBCMT ref: 0040A955
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw
                                                            • String ID:
                                                            • API String ID: 2005118841-0
                                                            • Opcode ID: 9a5bb656170a8548dc9b28687d5c3d08d929b8bddbdff51618608348ab6e88b3
                                                            • Instruction ID: 50af47bc67f8884ff376a5bab392e23a2d223ecb1341b9976338e81d63542ba6
                                                            • Opcode Fuzzy Hash: 9a5bb656170a8548dc9b28687d5c3d08d929b8bddbdff51618608348ab6e88b3
                                                            • Instruction Fuzzy Hash: 520171B1600701AFCB28CF69C80599BBBF8EF453547048A6EA4C6D3651D774F945CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410C2B, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E00410C2B(void* __ebx, void* __edx, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t21;
				void* _t22;
				void* _t28;
				signed char _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t29 = __ebx;
				_push(0x18);
				E00416B21(E00421C9F, __ebx, _t36, _t37);
				_t17 =  *((intOrPtr*)(_t38 + 0x14));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_push(_t17 + 0x28);
				_t32 =  *(_t17 + 0x20) >> 4;
				_push(_t38 + 8);
				_t40 = _t32 & 0x00000001;
				if((_t32 & 0x00000001) == 0) {
					_push(_t38 - 0x24);
					_t21 = E004096A4(__ebx, _t36, _t37, __eflags);
					 *(_t38 - 4) = 2;
					_t22 = E00410BBB(_t29, _t36, _t37, __eflags,  *_t21); // executed
					_push( *((intOrPtr*)(_t38 - 0x24)));
				} else {
					_push(_t38 - 0x18);
					_t28 = E004096A4(__ebx, _t36, _t37, _t40);
					 *(_t38 - 4) = 1;
					_t22 = E00410C9B(_t29, __edx, _t36, _t37, _t40, _t28); // executed
					_push( *((intOrPtr*)(_t38 - 0x18)));
				}
				_t30 = _t22;
				L00408BFB(_t22, _t36, _t37, _t40);
				_push( *((intOrPtr*)(_t38 + 8)));
				L00408BFB(_t30, _t36, _t37, _t40);
				return E00416BF9(_t30);
			}











                                                            0x00410c2b
                                                            0x00410c2b
                                                            0x00410c32
                                                            0x00410c37
                                                            0x00410c3d
                                                            0x00410c44
                                                            0x00410c45
                                                            0x00410c4b
                                                            0x00410c4c
                                                            0x00410c4f
                                                            0x00410c85
                                                            0x00410c86
                                                            0x00410c8d
                                                            0x00410c91
                                                            0x00410c96
                                                            0x00410c51
                                                            0x00410c54
                                                            0x00410c55
                                                            0x00410c5b
                                                            0x00410c5f
                                                            0x00410c64
                                                            0x00410c64
                                                            0x00410c67
                                                            0x00410c69
                                                            0x00410c6f
                                                            0x00410c72
                                                            0x00410c7f

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410C32
                                                              • Part of subcall function 004096A4: __EH_prolog3.LIBCMT ref: 004096AB
                                                              • Part of subcall function 00410C9B: __EH_prolog3.LIBCMT ref: 00410CA2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID:
                                                            • API String ID: 431132790-0
                                                            • Opcode ID: 59967bbe753e5dc168115a87754a61ade42e6dcece7e8eaa7ca788e826340a8f
                                                            • Instruction ID: 06cb761f1f525b4146118a468f0d354c53039bfffbfcc7a97c900ac5a6a9224e
                                                            • Opcode Fuzzy Hash: 59967bbe753e5dc168115a87754a61ade42e6dcece7e8eaa7ca788e826340a8f
                                                            • Instruction Fuzzy Hash: DCF06D75400108AEDB05EB95C946FDD3BA8AF19308F00045EF540A72A3DABDEAD4AA6C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004130B7, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E004130B7(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				struct HWND__** _t23;
				void* _t24;

				_t25 = __eflags;
				_push(0);
				 *((char*)(__ecx + 0x88)) =  *((intOrPtr*)(__ecx + 0x139));
				E00413069(__ecx + 0x70, _t24, __eflags, _a4, _a8);
				_t11 = E0040C825(__ecx + 0x70,  &_v16, 0x45);
				_t23 = __ecx + 0x74;
				E00411A09(_t23,  *_t11);
				_push(_v16);
				L00408BFB(__ebx, __edi, _t23, _t25);
				ShowWindow( *_t23, 1); // executed
				return 0;
			}









                                                            0x004130b7
                                                            0x004130be
                                                            0x004130d1
                                                            0x004130d7
                                                            0x004130e2
                                                            0x004130e9
                                                            0x004130ee
                                                            0x004130f3
                                                            0x004130f6
                                                            0x00413100
                                                            0x0041310a

                                                            APIs
                                                              • Part of subcall function 00411A09: SetWindowTextW.USER32(?,?), ref: 00411A0F
                                                            • ShowWindow.USER32(?,00000001,00000000,?,?,00000000), ref: 00413100
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Window$ShowText
                                                            • String ID:
                                                            • API String ID: 1551406749-0
                                                            • Opcode ID: 905720b4aa533e3a3a3202855c4c46ae575610bf33439627e65eafeb3e5c2fc5
                                                            • Instruction ID: 35af53d8c1d0c1f4d98bec84655a3a64350064d86e18da663c696bb970858594
                                                            • Opcode Fuzzy Hash: 905720b4aa533e3a3a3202855c4c46ae575610bf33439627e65eafeb3e5c2fc5
                                                            • Instruction Fuzzy Hash: 9CF0E235500204BBCF11BB74DC06EC97FA4AF08314F00442EF999661A2DE75A614D788
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412707, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E00412707(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t31;
				intOrPtr _t33;
				void* _t34;

				_t22 = __ebx;
				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				E00404082(_t34 - 0x18, _t34, __ecx + 0x14);
				_t33 =  *((intOrPtr*)(_t34 + 8));
				_t31 = 0;
				_t36 =  *((intOrPtr*)(_t33 + 8));
				 *((intOrPtr*)(_t34 - 4)) = 0;
				if( *((intOrPtr*)(_t33 + 8)) > 0) {
					do {
						E00408FDE(_t34 - 0x18, _t36,  *((intOrPtr*)( *((intOrPtr*)(_t33 + 0xc)) + _t31 * 4)));
						E00410B45(__ebx, _t31, _t33, _t36,  *((intOrPtr*)(_t34 - 0x18))); // executed
						E00408670(_t34 - 0x18, __edx, _t36, 0x5c);
						_t31 = _t31 + 1;
						_t37 = _t31 -  *((intOrPtr*)(_t33 + 8));
					} while (_t31 <  *((intOrPtr*)(_t33 + 8)));
				}
				_push( *((intOrPtr*)(_t34 - 0x18)));
				return E00416BF9(L00408BFB(_t22, _t31, _t33, _t37));
			}






                                                            0x00412707
                                                            0x00412707
                                                            0x0041270e
                                                            0x0041271a
                                                            0x0041271f
                                                            0x00412722
                                                            0x00412724
                                                            0x00412727
                                                            0x0041272a
                                                            0x0041272c
                                                            0x00412735
                                                            0x0041273d
                                                            0x00412747
                                                            0x0041274c
                                                            0x0041274d
                                                            0x0041274d
                                                            0x0041272c
                                                            0x00412752
                                                            0x00412760

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0041270E
                                                              • Part of subcall function 00410B45: __EH_prolog3.LIBCMT ref: 00410B4C
                                                              • Part of subcall function 00410B45: CreateDirectoryW.KERNELBASE(?,00000000,0000000C), ref: 00410B5C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$CreateDirectory
                                                            • String ID:
                                                            • API String ID: 2028411195-0
                                                            • Opcode ID: ce8aff6c3c48dc0627f43f54bdacbbe699a1c0c95c6fa51e321feb936b7a5f87
                                                            • Instruction ID: 7158408a5ca7f67ee087e461847e5e65f72557397dec4d11aca8ef9227536058
                                                            • Opcode Fuzzy Hash: ce8aff6c3c48dc0627f43f54bdacbbe699a1c0c95c6fa51e321feb936b7a5f87
                                                            • Instruction Fuzzy Hash: C5F030714005069ECB01AB96CD42DAEBB71BF50308F42403EA295764E2DE79B9C29B88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409322, Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E00409322(void** __ecx, intOrPtr __edi, intOrPtr _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t8;
				int _t11;
				signed int _t16;
				signed int _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_t23 = __edi;
				_t8 =  *0x42d330; // 0x41c6c370
				_v8 = _t8 ^ _t25;
				_t24 = _a4;
				_t11 = FindNextFileW( *__ecx,  &_v600); // executed
				_t17 = _t16 & 0xffffff00 | _t11 != 0x00000000;
				_t27 = _t17;
				if(_t17 != 0) {
					E00409208( &_v600, _t22, _t24, _t27);
				}
				return E00416B12(_t17, _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}
















                                                            0x00409322
                                                            0x0040932b
                                                            0x00409332
                                                            0x00409337
                                                            0x00409345
                                                            0x0040934d
                                                            0x00409350
                                                            0x00409352
                                                            0x0040935a
                                                            0x0040935a
                                                            0x0040936e

                                                            APIs
                                                            • FindNextFileW.KERNELBASE(?,?), ref: 00409345
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileFindNext
                                                            • String ID:
                                                            • API String ID: 2029273394-0
                                                            • Opcode ID: ba9aaa0b6fb6c2b9981656ad43bb8ff57261fbd588c33b01968ce32a112db831
                                                            • Instruction ID: 50a54b88040d337bb30b5fd9b7dd6588afd92b3ccd64aa48da0fe6d42f572788
                                                            • Opcode Fuzzy Hash: ba9aaa0b6fb6c2b9981656ad43bb8ff57261fbd588c33b01968ce32a112db831
                                                            • Instruction Fuzzy Hash: D4F06531B11118ABC710EF64DD459EEB7B8AB49309B4400BBA801E7291EA34AE489B58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410D94, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E00410D94(intOrPtr* _a8) {
				WCHAR* _v0;
				signed int _t9;
				intOrPtr _t16;
				intOrPtr* _t17;

				_t17 = _a8;
				GetShortPathNameW(_v0, E00403FA3(_t17, 0x105), 0x105); // executed
				_t16 =  *_t17;
				_t9 = E0040116F(_t16);
				 *((short*)(_t16 + _t9 * 2)) = 0;
				 *(_t17 + 4) = _t9;
				asm("sbb eax, eax");
				return 0x103;
			}







                                                            0x00410d96
                                                            0x00410dae
                                                            0x00410db4
                                                            0x00410db9
                                                            0x00410dc0
                                                            0x00410dc4
                                                            0x00410dd0
                                                            0x00410dd5

                                                            APIs
                                                            • GetShortPathNameW.KERNEL32 ref: 00410DAE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: NamePathShort
                                                            • String ID:
                                                            • API String ID: 1295925010-0
                                                            • Opcode ID: 6fae0eace9c53e5ecf934df93bf2eb8d8b54f1cf5e6833b2f46910c6f4da1c54
                                                            • Instruction ID: a71ba42fb66b3bcab4a07320303146cf8ca67d7ce159cff85be98903d7b5ab96
                                                            • Opcode Fuzzy Hash: 6fae0eace9c53e5ecf934df93bf2eb8d8b54f1cf5e6833b2f46910c6f4da1c54
                                                            • Instruction Fuzzy Hash: 3DE09A712096106FE710AF6CEC4886BE2EDEFA8710B00083FF482D32A0DA689D518664
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410E98, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00410E98(WCHAR* _a4, intOrPtr* _a12) {
				WCHAR* _v0;
				int _t8;
				signed int _t9;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t15 = _a12;
				_t8 = GetTempFileNameW(_v0, _a4, 0, E00403FA3(_t15, 0x105)); // executed
				_t14 =  *_t15;
				_t9 = E0040116F(_t14);
				 *((short*)(_t14 + _t9 * 2)) = 0;
				 *(_t15 + 4) = _t9;
				return _t8;
			}








                                                            0x00410e9a
                                                            0x00410eb6
                                                            0x00410ebc
                                                            0x00410ec1
                                                            0x00410ec8
                                                            0x00410ecd
                                                            0x00410ed4

                                                            APIs
                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,00000000,00000105), ref: 00410EB6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileNameTemp
                                                            • String ID:
                                                            • API String ID: 745986568-0
                                                            • Opcode ID: 89ee732e139718721cb7d2bd7b42053a77cea1bfb762c2ad0debfd8e99515b9f
                                                            • Instruction ID: 1256aeead1201c2553e3fa3d07c8bf1e1a978611c619f05f4f725b231cb39a67
                                                            • Opcode Fuzzy Hash: 89ee732e139718721cb7d2bd7b42053a77cea1bfb762c2ad0debfd8e99515b9f
                                                            • Instruction Fuzzy Hash: B5E01A72209711AFD7109F69AC05A5BB7EDEF88B10F10442FB581A32A0C6B569158B69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407512, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E00407512(intOrPtr __ecx, void* __esi, void* __eflags) {
				void* _t19;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t32 = __eflags;
				_push(4);
				E00416B21(E0042156B, _t21, _t28, __esi);
				 *((intOrPtr*)(_t31 - 0x10)) = __ecx;
				 *(_t31 - 4) = 3;
				E004070DC(_t21, __ecx + 0x4a0, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 2;
				E004070AB(_t21, __ecx + 0x70, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 1;
				E004070AB(_t21, __ecx + 0x50, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 0;
				E004070AB(_t21, __ecx + 0x30, _t28, __ecx, _t32); // executed
				_t10 = _t31 - 4;
				 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
				_t19 = E004070AB(_t21, __ecx + 0x10, _t28, __ecx,  *_t10); // executed
				return E00416BF9(_t19);
			}








                                                            0x00407512
                                                            0x00407512
                                                            0x00407519
                                                            0x00407520
                                                            0x00407529
                                                            0x00407530
                                                            0x00407538
                                                            0x0040753c
                                                            0x00407544
                                                            0x00407548
                                                            0x00407550
                                                            0x00407554
                                                            0x00407559
                                                            0x00407559
                                                            0x00407560
                                                            0x0040756a

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00407519
                                                              • Part of subcall function 004070DC: __EH_prolog3.LIBCMT ref: 004070E3
                                                              • Part of subcall function 004070AB: __EH_prolog3.LIBCMT ref: 004070B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID:
                                                            • API String ID: 431132790-0
                                                            • Opcode ID: a2dfb0107afbf5b9dcd330f123fec27b88cc5bbc74443d789a3f71815f2b0a93
                                                            • Instruction ID: df91484ffcd8d91b4707bd9d7c24a84f0edf961155dc25835aee18bb5dbfda0e
                                                            • Opcode Fuzzy Hash: a2dfb0107afbf5b9dcd330f123fec27b88cc5bbc74443d789a3f71815f2b0a93
                                                            • Instruction Fuzzy Hash: EDF05EB0808750DAD714EBB1D50639EBBA06F14308F90469DD452232C2CB7C7709C65B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004095E8, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E004095E8(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x42cb34; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}







                                                            0x004095e8
                                                            0x004095eb
                                                            0x004095ec
                                                            0x004095f4
                                                            0x004095f6
                                                            0x004095f6
                                                            0x004095f9
                                                            0x0040960b
                                                            0x00409619
                                                            0x0040961f

                                                            APIs
                                                            • WriteFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040960B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: b78c8f0ccf31d0e04b92ae2b446c5026141f050a122207180bcc39ec2181ce27
                                                            • Instruction ID: ce6839aeb588f27f8867698078c1af3c3476177279ac19fcad85c05ab0eaab47
                                                            • Opcode Fuzzy Hash: b78c8f0ccf31d0e04b92ae2b446c5026141f050a122207180bcc39ec2181ce27
                                                            • Instruction Fuzzy Hash: B0E0C275640208FBCB11CF95D941B9E7BBAAB08755F50C069F9149A260D339AA10EF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A99E, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041A99E(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x430e7c = _t6;
				if(_t6 != 0) {
					 *0x4342d8 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                                                            0x0041a9b3
                                                            0x0041a9b9
                                                            0x0041a9c0
                                                            0x0041a9c7
                                                            0x0041a9cd
                                                            0x0041a9c3
                                                            0x0041a9c3
                                                            0x0041a9c3

                                                            APIs
                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041A9B3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateHeap
                                                            • String ID:
                                                            • API String ID: 10892065-0
                                                            • Opcode ID: 6705fbeee63e26d030e15f6d43d3b95a5db92502f44a05acec2408635e691eb1
                                                            • Instruction ID: ad416ea7c8b49a8563809eaa466955e11c78e76269a931f48dce1fda58f8df30
                                                            • Opcode Fuzzy Hash: 6705fbeee63e26d030e15f6d43d3b95a5db92502f44a05acec2408635e691eb1
                                                            • Instruction Fuzzy Hash: E7D05E726503046ADB109FB16C097723BDC9384795F144836B81CC62A0E578D5A0CA08
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409535, Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00409535(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}





                                                            0x00409538
                                                            0x00409539
                                                            0x0040954b
                                                            0x00409559
                                                            0x0040955f

                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040954B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 5d9282babb6fcf3e00ba45c1f4ba6be9a1073a78d6b2a9e96cfd0fa35014f32c
                                                            • Instruction ID: a2cd3b8a2ea8a0c7dfc18a42d7b41d56f9abded95085a1eabc97c81f7edaf72b
                                                            • Opcode Fuzzy Hash: 5d9282babb6fcf3e00ba45c1f4ba6be9a1073a78d6b2a9e96cfd0fa35014f32c
                                                            • Instruction Fuzzy Hash: 7AE0EC75201208FFDB01CF90CC01F9E7BBDEB49755F208058E90496164C7759A14EB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004131B8, Relevance: 1.5, APIs: 1, Instructions: 17COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004131B8(struct HWND__** __ecx) {
				struct HWND__* _t3;
				signed int _t4;
				signed int _t5;
				signed int* _t8;

				_t8 = __ecx;
				_t3 =  *__ecx;
				if(_t3 != 0) {
					_t4 = DestroyWindow(_t3); // executed
					_t5 = _t4 & 0xffffff00 | _t4 != 0x00000000;
					if(_t5 != 0) {
						 *_t8 =  *_t8 & 0x00000000;
						return _t5;
					}
					return _t5;
				} else {
					return 1;
				}
			}







                                                            0x004131b9
                                                            0x004131bb
                                                            0x004131bf
                                                            0x004131c6
                                                            0x004131ce
                                                            0x004131d3
                                                            0x004131d5
                                                            0x00000000
                                                            0x004131d5
                                                            0x004131d9
                                                            0x004131c1
                                                            0x004131c4
                                                            0x004131c4

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: DestroyWindow
                                                            • String ID:
                                                            • API String ID: 3375834691-0
                                                            • Opcode ID: 53a8ea379b7d00479024dc1505115ad1629d640bb62f35358d3f99fe7c566f6c
                                                            • Instruction ID: 7298449ebcc8be9521e5c8a9423c1ed6b15aaaa6b217507720e11277dd58528e
                                                            • Opcode Fuzzy Hash: 53a8ea379b7d00479024dc1505115ad1629d640bb62f35358d3f99fe7c566f6c
                                                            • Instruction Fuzzy Hash: EAD01231714211A7DB705E2DB8447D633DD5F11723B15445AFC80CB240DB68DDC35A58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412E93, Relevance: 1.5, APIs: 1, Instructions: 17windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00412E93(void* __ecx) {
				int _t7;

				E0040FC41( *((intOrPtr*)(__ecx + 0x54)));
				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					 *((char*)(__ecx + 0x51)) = 1;
					return 0;
				} else {
					_t7 = PostMessageW( *(__ecx + 4), 0x8000, 0, 0); // executed
					return _t7;
				}
			}




                                                            0x00412e99
                                                            0x00412ea3
                                                            0x00412eb7
                                                            0x00412ebc
                                                            0x00412ea5
                                                            0x00412eaf
                                                            0x00412eb6
                                                            0x00412eb6

                                                            APIs
                                                              • Part of subcall function 0040FC41: WaitForSingleObject.KERNEL32(?,000000FF,0040B19F,00000000,?,?,?,004017D2,00000004,00401A97,?,?,?), ref: 0040FC47
                                                            • PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00412EAF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageObjectPostSingleWait
                                                            • String ID:
                                                            • API String ID: 1869837590-0
                                                            • Opcode ID: 54403d254d6dece21fdd30bf551ef77a2a7b988ed31ba3920b28ef320dc540f1
                                                            • Instruction ID: edc2d39b9b95d8753d24a0c99186f72b6eb965518e6ef86668453d206e3306f5
                                                            • Opcode Fuzzy Hash: 54403d254d6dece21fdd30bf551ef77a2a7b988ed31ba3920b28ef320dc540f1
                                                            • Instruction Fuzzy Hash: 2FD0A7314187A0AEE771A734BD06AE77BD9AB00304B0C08BEB4C291D55C7E5BC959764
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004091A4, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004091A4(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                                                            0x004091a5
                                                            0x004091a7
                                                            0x004091ac
                                                            0x004091c0
                                                            0x004091c3
                                                            0x004091ae
                                                            0x004091af
                                                            0x004091b7
                                                            0x004091bd
                                                            0x00000000
                                                            0x004091b9
                                                            0x004091bc
                                                            0x004091bc
                                                            0x004091b7

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CloseFind
                                                            • String ID:
                                                            • API String ID: 1863332320-0
                                                            • Opcode ID: ceed599eb068a9b020e5a439002c9ac0e64598cc8ca2fb7ebb587fd943f36f4f
                                                            • Instruction ID: e6f65a1a3ae19892a9c0185e9ae34a5b8dc5a998896a5f52585ecf58a904d7a6
                                                            • Opcode Fuzzy Hash: ceed599eb068a9b020e5a439002c9ac0e64598cc8ca2fb7ebb587fd943f36f4f
                                                            • Instruction Fuzzy Hash: D6D0127121412286DE745E3C78485C273D95B06370325076AF0B0D73E5D378DC835668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004073C7, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E004073C7(void* __edx, void* __eflags) {
				void* _t13;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				_push(0xc);
				E00416B54(E00421524, _t15, _t18, _t19);
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				_t13 = E00407148(_t15,  *((intOrPtr*)(_t20 + 8)), __edx, _t18, _t19, _t21,  *((intOrPtr*)(_t20 + 0xc)),  *((intOrPtr*)(_t20 + 0x10)),  *((intOrPtr*)(_t20 + 0x14)),  *((intOrPtr*)(_t20 + 0x18)),  *((intOrPtr*)(_t20 + 0x1c)),  *((intOrPtr*)(_t20 + 0x20)),  *((intOrPtr*)(_t20 + 0x24))); // executed
				return E00416BF9(_t13);
			}









                                                            0x004073c7
                                                            0x004073c7
                                                            0x004073ce
                                                            0x004073dc
                                                            0x004073ef
                                                            0x00407425

                                                            APIs
                                                            • __EH_prolog3_catch.LIBCMT ref: 004073CE
                                                              • Part of subcall function 00407148: __EH_prolog3.LIBCMT ref: 0040714F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3H_prolog3_catch
                                                            • String ID:
                                                            • API String ID: 1882928916-0
                                                            • Opcode ID: 28e09e3b734dcda83a9779a142a1a0cda2b6bb65c50fddb9d581310a60e990cb
                                                            • Instruction ID: 84ce1d22dcfe6e103ce055f2b8b6750ac12f05c8568533fdb2c5d1bbdb3a852e
                                                            • Opcode Fuzzy Hash: 28e09e3b734dcda83a9779a142a1a0cda2b6bb65c50fddb9d581310a60e990cb
                                                            • Instruction Fuzzy Hash: F2E0B632504109EBDF02AF80CC01EDD3F62BF48308F11815ABA04291A1C73AD9B1AB1A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409469, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00409469(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                                                            0x0040946a
                                                            0x0040946c
                                                            0x00409471
                                                            0x00409485
                                                            0x00409488
                                                            0x00409473
                                                            0x00409474
                                                            0x0040947c
                                                            0x00409482
                                                            0x00000000
                                                            0x0040947e
                                                            0x00409481
                                                            0x00409481
                                                            0x0040947c

                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE ref: 00409474
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: a6ad88fce9d677adcfcb3cedd9ab2708af14cbe569ef0bba0bbf37a308d24c96
                                                            • Instruction ID: b4a90a00154391669b7363a51cf89b3e9318aaf3395dcee91c52b1fe365849fc
                                                            • Opcode Fuzzy Hash: a6ad88fce9d677adcfcb3cedd9ab2708af14cbe569ef0bba0bbf37a308d24c96
                                                            • Instruction Fuzzy Hash: E9D0123150812146CA749E3C7C489C733D85B8637432107AAF8B4D32E5D774CC835664
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040FC1B, Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040FC1B(signed int* _a4) {
				void* _t2;
				int _t4;
				signed int* _t6;

				_t6 = _a4;
				_t2 =  *_t6;
				if(_t2 == 0) {
					L3:
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				}
				_t4 = FindCloseChangeNotification(_t2); // executed
				if(_t4 != 0) {
					goto L3;
				}
				return E0040FBFF();
			}






                                                            0x0040fc1c
                                                            0x0040fc20
                                                            0x0040fc24
                                                            0x0040fc38
                                                            0x0040fc38
                                                            0x00000000
                                                            0x0040fc3b
                                                            0x0040fc27
                                                            0x0040fc2f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,00401769,?,?,00401A40,?,?,?), ref: 0040FC27
                                                              • Part of subcall function 0040FBFF: GetLastError.KERNEL32(0040FC36,?,00401769,?,?,00401A40,?,?,?), ref: 0040FBFF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseErrorFindLastNotification
                                                            • String ID:
                                                            • API String ID: 1687624791-0
                                                            • Opcode ID: 154228df2ff763398198bb62a8d67d4fc733a41ee82627f3fea0a20968ac3d13
                                                            • Instruction ID: 1a5018943eef3921d8683e0e76473e6435a4a7453b84e3265ad686b3c7f8bf41
                                                            • Opcode Fuzzy Hash: 154228df2ff763398198bb62a8d67d4fc733a41ee82627f3fea0a20968ac3d13
                                                            • Instruction Fuzzy Hash: BAD0C77261821987E7709E75D80575773E87F64391F11483BBC81E26C4DA3CDC468669
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004134A7, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E004134A7(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t20;

				_push(0xc);
				E00416B54(E00422122, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t20 - 0x14)) = __ecx;
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				_t19 =  *((intOrPtr*)(__ecx + 0x1c)) + 0x70;
				 *((intOrPtr*)(_t20 - 0x18)) =  *((intOrPtr*)(__ecx + 0x1c)) + 0x70;
				 *(_t20 - 4) = 1;
				E00413320(__ebx, __ecx, __edx, __edi,  *((intOrPtr*)(__ecx + 0x1c)) + 0x70, _t19); // executed
				return E00416BF9(E00412E93(_t19));
			}




                                                            0x004134a7
                                                            0x004134ae
                                                            0x004134b3
                                                            0x004134b9
                                                            0x004134bd
                                                            0x004134c0
                                                            0x004134c3
                                                            0x004134c7
                                                            0x004134d8

                                                            APIs
                                                            • __EH_prolog3_catch.LIBCMT ref: 004134AE
                                                              • Part of subcall function 00413320: __EH_prolog3.LIBCMT ref: 00413327
                                                              • Part of subcall function 00412E93: PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00412EAF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3H_prolog3_catchMessagePost
                                                            • String ID:
                                                            • API String ID: 2353938149-0
                                                            • Opcode ID: a2f85cf47bc91e1651615562e7d259fc2dd1f942ff68663c9af53319ea72f271
                                                            • Instruction ID: 37150bc996be07024e23407f5ffd0e30b920fa78c3a9b78fcff4c7f849eb0ef8
                                                            • Opcode Fuzzy Hash: a2f85cf47bc91e1651615562e7d259fc2dd1f942ff68663c9af53319ea72f271
                                                            • Instruction Fuzzy Hash: 6CD05E71E052348BEF05FB9591023DD77615F10309F65409FA504AB282CBBD9F9687DE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417657, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00417657(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0x42a470);
				E00417B6C(__ebx, __edi, __esi);
				E0041AA6A();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E0041756C(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E0041768D();
				return E00417BB1( *((intOrPtr*)(_t18 - 0x1c)));
			}





                                                            0x00417657
                                                            0x00417659
                                                            0x0041765e
                                                            0x00417663
                                                            0x00417668
                                                            0x0041766f
                                                            0x00417675
                                                            0x00417678
                                                            0x0041767f
                                                            0x0041768c

                                                            APIs
                                                              • Part of subcall function 0041AA6A: __lock.LIBCMT ref: 0041AA6C
                                                            • __onexit_nolock.LIBCMT ref: 0041766F
                                                              • Part of subcall function 0041756C: __decode_pointer.LIBCMT ref: 0041757B
                                                              • Part of subcall function 0041756C: __decode_pointer.LIBCMT ref: 0041758B
                                                              • Part of subcall function 0041756C: __msize.LIBCMT ref: 004175A9
                                                              • Part of subcall function 0041756C: __realloc_crt.LIBCMT ref: 004175CD
                                                              • Part of subcall function 0041756C: __realloc_crt.LIBCMT ref: 004175E3
                                                              • Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 004175F5
                                                              • Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 00417603
                                                              • Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 0041760E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
                                                            • String ID:
                                                            • API String ID: 1316407801-0
                                                            • Opcode ID: f62d3a009e41f3d1527246ed07ccb787376bfc05c42d54a329812c2034400765
                                                            • Instruction ID: 50652295d12e053d6e041c28fa09360bfde02633ad2c970896e797852022faa4
                                                            • Opcode Fuzzy Hash: f62d3a009e41f3d1527246ed07ccb787376bfc05c42d54a329812c2034400765
                                                            • Instruction Fuzzy Hash: 36D01730D49208AACB00FBA6DC027DD76706F00328F60428AB024661D2CB7C6A918A1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004060EC, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E004060EC(void* __ecx, void* __eflags) {
				void* _t8;
				void* _t10;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;

				_t15 = __eflags;
				_push(4);
				E00416B54(E004212DE, _t10, _t12, _t13);
				 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
				_t8 = E00405E50(_t10, __ecx, _t12, _t13, _t15,  *((intOrPtr*)(_t14 + 8)),  *((intOrPtr*)(_t14 + 0xc)),  *((intOrPtr*)(_t14 + 0x10))); // executed
				return E00416BF9(_t8);
			}









                                                            0x004060ec
                                                            0x004060ec
                                                            0x004060f3
                                                            0x004060fb
                                                            0x00406105
                                                            0x0040611a

                                                            APIs
                                                            • __EH_prolog3_catch.LIBCMT ref: 004060F3
                                                              • Part of subcall function 00405E50: __EH_prolog3.LIBCMT ref: 00405E57
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3H_prolog3_catch
                                                            • String ID:
                                                            • API String ID: 1882928916-0
                                                            • Opcode ID: c4f1c16b8a69300ef20dc63a60a8572890e109b9ba60d17ba3b8912923893270
                                                            • Instruction ID: 66fb4eb1dd9ef290f0d14366853655bb72eb87facac39e3ebcd306175ee87c76
                                                            • Opcode Fuzzy Hash: c4f1c16b8a69300ef20dc63a60a8572890e109b9ba60d17ba3b8912923893270
                                                            • Instruction Fuzzy Hash: 0ED0C971204154E6DF017F51CC02B8D7722AB50308F51806EB610AD0A2C6399665AA2D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041AC6E, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 25%
                                                            			E0041AC6E(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E0041AB42(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}









                                                            0x0041ac73
                                                            0x0041ac75
                                                            0x0041ac77
                                                            0x0041ac7a
                                                            0x0041ac83

                                                            APIs
                                                            • _doexit.LIBCMT ref: 0041AC7A
                                                              • Part of subcall function 0041AB42: __lock.LIBCMT ref: 0041AB50
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041AB87
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041AB9C
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABC6
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABDC
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABE9
                                                              • Part of subcall function 0041AB42: __initterm.LIBCMT ref: 0041AC18
                                                              • Part of subcall function 0041AB42: __initterm.LIBCMT ref: 0041AC28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __decode_pointer$__initterm$__lock_doexit
                                                            • String ID:
                                                            • API String ID: 1597249276-0
                                                            • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                            • Instruction ID: 32703e2425d6837e09d77f142ee0d03d1aa3b2b2739c8778ca234f578448a184
                                                            • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                            • Instruction Fuzzy Hash: CAB0923258424833DA202942EC03F467A0A87D0BA4F240021BB0C191A1A9A6B9A1919A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004095BB, Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E004095BB(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}




                                                            0x004095c9
                                                            0x004095d1
                                                            0x004095d5

                                                            APIs
                                                            • SetFileTime.KERNELBASE(?,?,?,?), ref: 004095C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileTime
                                                            • String ID:
                                                            • API String ID: 1425588814-0
                                                            • Opcode ID: 7c264c662d17f6748a7a7cd915a901ef6f14879ae262d0762ce06c4027b9e3d8
                                                            • Instruction ID: 57fa52493768e88d4c675f4e3ff19f9e09c23c003b41dcdd424065fe4b098c63
                                                            • Opcode Fuzzy Hash: 7c264c662d17f6748a7a7cd915a901ef6f14879ae262d0762ce06c4027b9e3d8
                                                            • Instruction Fuzzy Hash: A4C04C36158105FF8F124F70CC04C1ABBB2AB99312F10C918B155C4074C7328424EB12
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D84E, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040D84E(intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;

				if(_a4 != 0) {
					_t3 = E00417414(_t5, _t7, _t8, _a4); // executed
					return _t3;
				}
				return 0;
			}







                                                            0x0040d853
                                                            0x0040d85d
                                                            0x00000000
                                                            0x0040d862
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: _malloc
                                                            • String ID:
                                                            • API String ID: 1579825452-0
                                                            • Opcode ID: 20394390867618d9d500dbe07c14ad3570cdce1b0b705a712d1a182bf64edd08
                                                            • Instruction ID: 9fa39186f6ac70ea71dad3f96ae6bbd7c0e55b847be20752fb22e855cafe7a70
                                                            • Opcode Fuzzy Hash: 20394390867618d9d500dbe07c14ad3570cdce1b0b705a712d1a182bf64edd08
                                                            • Instruction Fuzzy Hash: 30B09232809200E9C6007AA1E90571BA6A05BA0765F24CC3FF05A62091C73898A8FA2A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410729, Relevance: 1.5, APIs: 1, Instructions: 7windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00410729(void* __ecx) {

				SendMessageW( *(__ecx + 4), 0x80, 1, 0); // executed
				return 1;
			}



                                                            0x00410735
                                                            0x0041073d

                                                            APIs
                                                            • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00410735
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 350c799ee5a2866a2e4a90e4137b8a2d5ebde71f238ef18c267c58f946dbb223
                                                            • Instruction ID: a4c26e9a3c29e24c211aff4f89e05bb1a464a78c4738ab71fc5642a945c5313b
                                                            • Opcode Fuzzy Hash: 350c799ee5a2866a2e4a90e4137b8a2d5ebde71f238ef18c267c58f946dbb223
                                                            • Instruction Fuzzy Hash: 2AB012383C0200B6E9300F00DE07F407A317700F02FD080D0F2842D1E186D754079A38
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041079E, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041079E(long __ecx, WCHAR* _a4, struct HWND__* _a8) {
				int _t3;

				_t3 = DialogBoxParamW( *0x43063c, _a4, _a8, E004106BD, __ecx); // executed
				return _t3;
			}




                                                            0x004107b2
                                                            0x004107b8

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: DialogParam
                                                            • String ID:
                                                            • API String ID: 665744214-0
                                                            • Opcode ID: 83a23e5f2a5779a97fcb816a9719aacd6dba0e44b669cde2decfec3171c3a416
                                                            • Instruction ID: 4304025832de87dfc64906559080df533071c10b9fbf0e2d02038323627bd0c9
                                                            • Opcode Fuzzy Hash: 83a23e5f2a5779a97fcb816a9719aacd6dba0e44b669cde2decfec3171c3a416
                                                            • Instruction Fuzzy Hash: 7DC09B71244341EFCB01DF40DD05D1A7A71FBD4301B144D5DF19011034D3654475DB1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411A09, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E00411A09(struct HWND__** __ecx, WCHAR* _a4) {
				signed int _t2;

				_t2 = SetWindowTextW( *__ecx, _a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}




                                                            0x00411a0f
                                                            0x00411a17
                                                            0x00411a1b

                                                            APIs
                                                            • SetWindowTextW.USER32(?,?), ref: 00411A0F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: TextWindow
                                                            • String ID:
                                                            • API String ID: 530164218-0
                                                            • Opcode ID: 0cac3e49e0ef37c63cf37dc2c3e09d3ba3e0a8b2ccbe1e6d84387eabad972059
                                                            • Instruction ID: 7285ec3e8b14015ba41abaafd2aaf9d1c9e421011ef37e859ac2b5d579ac4960
                                                            • Opcode Fuzzy Hash: 0cac3e49e0ef37c63cf37dc2c3e09d3ba3e0a8b2ccbe1e6d84387eabad972059
                                                            • Instruction Fuzzy Hash: E5B012312941079B8F110F30CC09C257AB1ABA6707B10C634B202C40B0DB328434FB05
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411C72, Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00411C72(struct HWND__** __ecx, int _a4) {
				long _t2;

				_t2 = SendMessageW( *__ecx, 0x402, _a4, 0); // executed
				return _t2;
			}




                                                            0x00411c7f
                                                            0x00411c85

                                                            APIs
                                                            • SendMessageW.USER32(?,00000402,?,00000000), ref: 00411C7F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: bfb020d162c2876dd643ce5794c777644e35f7b7a7e62491d4677c709d91e7d4
                                                            • Instruction ID: 069d68a9e1231b4b556b08c56050ac7aef345419fd7f8c3e29ec79a0a001832b
                                                            • Opcode Fuzzy Hash: bfb020d162c2876dd643ce5794c777644e35f7b7a7e62491d4677c709d91e7d4
                                                            • Instruction Fuzzy Hash: E9B012B1380201FBDA114F50CF0AF05BE71AB50701F50C064B348280F1C2B20821DB2E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411EBA, Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00411EBA(void* __ecx) {

				EndDialog( *(__ecx + 4), 0); // executed
				return 1;
			}



                                                            0x00411ebf
                                                            0x00411ec7

                                                            APIs
                                                            • EndDialog.USER32(?,00000000), ref: 00411EBF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Dialog
                                                            • String ID:
                                                            • API String ID: 1120787796-0
                                                            • Opcode ID: 101327961ffd129499788fe345791a6db2a53a88b219c9f9f512ba42817a1e78
                                                            • Instruction ID: bc8bd401b0eefbe877630cbd04d9267ddc83d6f7ecd5b816f849047cd02cc86e
                                                            • Opcode Fuzzy Hash: 101327961ffd129499788fe345791a6db2a53a88b219c9f9f512ba42817a1e78
                                                            • Instruction Fuzzy Hash: 28A0223C200300ABCA200F00EC0BB003F30BB20B0BFE080E0F000082B0C3AB8023EE88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418676, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00418676() {
				void* _t1;

				_t1 = E00418604(0); // executed
				return _t1;
			}




                                                            0x00418678
                                                            0x0041867e

                                                            APIs
                                                            • __encode_pointer.LIBCMT ref: 00418678
                                                              • Part of subcall function 00418604: TlsGetValue.KERNEL32(00000000,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 00418616
                                                              • Part of subcall function 00418604: TlsGetValue.KERNEL32(00000005,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041862D
                                                              • Part of subcall function 00418604: RtlEncodePointer.NTDLL(00000000,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041866B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Value$EncodePointer__encode_pointer
                                                            • String ID:
                                                            • API String ID: 2585649348-0
                                                            • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                            • Instruction ID: 5a5505d646162c0910025cdbf4f2e43bfc302516613f7e24b8ec1ce389676881
                                                            • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                            • Instruction Fuzzy Hash:
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D873, Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040D873(long _a4) {
				void* _t3;

				if(_a4 != 0) {
					_t3 = VirtualAlloc(0, _a4, 0x1000, 4); // executed
					return _t3;
				}
				return 0;
			}




                                                            0x0040d878
                                                            0x0040d88b
                                                            0x00000000
                                                            0x0040d88b
                                                            0x00000000

                                                            APIs
                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00407672,00020000), ref: 0040D88B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 5e2b473792147291d41c654fde43e170c2ab6d884310398fcc52e1e8375520d5
                                                            • Instruction ID: 1dee39851da255e603c81e70ab06536354d94f21e9d906fbcb05ba4b28f21589
                                                            • Opcode Fuzzy Hash: 5e2b473792147291d41c654fde43e170c2ab6d884310398fcc52e1e8375520d5
                                                            • Instruction Fuzzy Hash: 69C08C72A8C301BEEB215A908C09F06B2A06B54B92F20C835B3A9740D8C2B88004DA2E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D894, Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040D894(void* _a4) {
				void* _t3;
				int _t4;

				if(_a4 != 0) {
					_t4 = VirtualFree(_a4, 0, 0x8000); // executed
					return _t4;
				}
				return _t3;
			}





                                                            0x0040d899
                                                            0x0040d8a6
                                                            0x00000000
                                                            0x0040d8a6
                                                            0x0040d8ac

                                                            APIs
                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,0040A8A2,?,?,004070C5,00000004), ref: 0040D8A6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 6cb800e3b21292d7a01e8d915fab6851819cbdd43799a7b69ebaca4b63cd47eb
                                                            • Instruction ID: 0a782922268e19acd864cb2e137f5d939f388066cb3675ff771b179204057813
                                                            • Opcode Fuzzy Hash: 6cb800e3b21292d7a01e8d915fab6851819cbdd43799a7b69ebaca4b63cd47eb
                                                            • Instruction Fuzzy Hash: 5FC09B71744300BEE7216F04DD09B07B6606B50701F10C4357254340E847785414DE1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00416B12, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E00416B12(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x42d330; // 0x41c6c370
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x430b08 = _t6;
				 *0x430b04 = _t22;
				 *0x430b00 = _t25;
				 *0x430afc = _t21;
				 *0x430af8 = _t27;
				 *0x430af4 = _t26;
				 *0x430b20 = ss;
				 *0x430b14 = cs;
				 *0x430af0 = ds;
				 *0x430aec = es;
				 *0x430ae8 = fs;
				 *0x430ae4 = gs;
				asm("pushfd");
				_pop( *0x430b18);
				 *0x430b0c =  *_t31;
				 *0x430b10 = _v0;
				 *0x430b1c =  &_a4;
				 *0x430a58 = 0x10001;
				_t11 =  *0x430b10; // 0x0
				 *0x430a0c = _t11;
				 *0x430a00 = 0xc0000409;
				 *0x430a04 = 1;
				_t12 =  *0x42d330; // 0x41c6c370
				_v812 = _t12;
				_t13 =  *0x42d334; // 0xbe393c8f
				_v808 = _t13;
				 *0x430a50 = IsDebuggerPresent();
				_push(1);
				E0041D30F(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x424afc);
				if( *0x430a50 == 0) {
					_push(1);
					E0041D30F(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b18
                                                            0x00416b1a
                                                            0x00416b1a
                                                            0x00419a07
                                                            0x00419a0c
                                                            0x00419a12
                                                            0x00419a18
                                                            0x00419a1e
                                                            0x00419a24
                                                            0x00419a2a
                                                            0x00419a31
                                                            0x00419a38
                                                            0x00419a3f
                                                            0x00419a46
                                                            0x00419a4d
                                                            0x00419a54
                                                            0x00419a55
                                                            0x00419a5e
                                                            0x00419a66
                                                            0x00419a6e
                                                            0x00419a79
                                                            0x00419a83
                                                            0x00419a88
                                                            0x00419a8d
                                                            0x00419a97
                                                            0x00419aa1
                                                            0x00419aa6
                                                            0x00419aac
                                                            0x00419ab1
                                                            0x00419abd
                                                            0x00419ac2
                                                            0x00419ac4
                                                            0x00419acc
                                                            0x00419ad7
                                                            0x00419ae4
                                                            0x00419ae6
                                                            0x00419ae8
                                                            0x00419aed
                                                            0x00419b01

                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 00419AB7
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00419ACC
                                                            • UnhandledExceptionFilter.KERNEL32(00424AFC), ref: 00419AD7
                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00419AF3
                                                            • TerminateProcess.KERNEL32(00000000), ref: 00419AFA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                            • String ID:
                                                            • API String ID: 2579439406-0
                                                            • Opcode ID: a918bf17ed6755c8c93a3fec57836d41ced2a735aa7a5f4a8140f49a9c0783ae
                                                            • Instruction ID: a3ae943e02b669ff2a6498971f269fac364f055245c94165238cd76a69923d3c
                                                            • Opcode Fuzzy Hash: a918bf17ed6755c8c93a3fec57836d41ced2a735aa7a5f4a8140f49a9c0783ae
                                                            • Instruction Fuzzy Hash: B92103B4A103089FC750EF55FD64A54BBB4BB18305F50623AE41883B60E7B8A981CF4D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041B945, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041B945() {

				SetUnhandledExceptionFilter(E0041B903);
				return 0;
			}



                                                            0x0041b94a
                                                            0x0041b952

                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001B903), ref: 0041B94A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 48d45a271a940ca4e2f88f0b5105577f0641e264a5b2adf435378eee180a1776
                                                            • Instruction ID: f9ebc1ffc639d90b74befdcaa34d6ee0320cc7816fc40c15477a0d87825db997
                                                            • Opcode Fuzzy Hash: 48d45a271a940ca4e2f88f0b5105577f0641e264a5b2adf435378eee180a1776
                                                            • Instruction Fuzzy Hash: 649002B03655096A66101B705C4D75A25A4AA5C6077910565A101C4154DB584157655D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040F949, Relevance: 1.4, Strings: 1, Instructions: 150COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E0040F949(void* _a4) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v28;
				intOrPtr _v32;
				void _v64;
				char _v128;
				signed int _t87;
				void* _t88;
				signed int _t110;
				signed int _t114;
				signed int _t116;
				intOrPtr* _t123;
				intOrPtr* _t127;
				void* _t129;
				intOrPtr* _t130;
				void* _t144;
				signed int _t171;
				void* _t183;

				_v8 = _v8 & 0x00000000;
				_t110 = 8;
				_v32 = memcpy( &_v64, _a4, _t110 << 2) -  &_v128;
				do {
					_t114 = 1;
					_t130 =  &_v128;
					_v20 = 1;
					_t87 = 0xfffffffc;
					_v24 = _t130;
					_v12 = 0x423aa0 + _v8 * 4;
					_v28 = 0x10;
					do {
						if(_v8 == 0) {
							_t116 =  *((intOrPtr*)(_v32 + _t130));
							 *_t130 = _t116;
						} else {
							_t17 = _t114 - 1; // 0x0
							_v16 = _t183 + (_t17 & 0x0000000f) * 4 - 0x7c;
							_t25 = _t114 - 3; // -2
							asm("ror edi, 0x12");
							asm("ror ebx, 0x7");
							asm("ror esi, 0x13");
							asm("ror ebx, 0x11");
							_t127 = _v16;
							 *_t127 =  *_t127 + ( *(_t183 + (_t114 & 0x0000000f) * 4 - 0x7c) ^  *(_t183 + (_t114 & 0x0000000f) * 4 - 0x7c) ^  *(_t183 + (_t114 & 0x0000000f) * 4 - 0x7c) >> 0x00000003) + ( *(_t183 + (_t25 & 0x0000000f) * 4 - 0x7c) ^  *(_t183 + (_t25 & 0x0000000f) * 4 - 0x7c) ^  *(_t183 + (_t25 & 0x0000000f) * 4 - 0x7c) >> 0x0000000a) +  *((intOrPtr*)(_t183 + (_t114 + 0xfffffff8 & 0x0000000f) * 4 - 0x7c));
							_t116 =  *_t127;
						}
						_v16 = _t116;
						_t39 = _t87 + 2; // 0xfe
						_t43 = _t87 + 3; // 0xff
						asm("ror edi, 0x19");
						asm("ror ebx, 0xb");
						asm("ror ebx, 0x6");
						_t45 = _t87 + 1; // 0xfd
						_t123 = _t183 + (_t43 & 0x00000007) * 4 - 0x3c;
						 *_t123 =  *_t123 + (( *(_t183 + (_t45 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t39 & 0x00000007) * 4 - 0x3c)) &  *(_t183 + (_t87 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t39 & 0x00000007) * 4 - 0x3c)) + ( *(_t183 + (_t87 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t87 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t87 & 0x00000007) * 4 - 0x3c)) + _v16 +  *_v12;
						_t53 = _t87 - 1; // 0xfb
						 *((intOrPtr*)(_t183 + (_t53 & 0x00000007) * 4 - 0x3c)) =  *((intOrPtr*)(_t183 + (_t53 & 0x00000007) * 4 - 0x3c)) +  *_t123;
						_t57 = _t87 - 4; // 0xf8
						_v12 = _v12 + 4;
						_t63 = _t87 - 3; // 0xf9
						_t171 =  *(_t183 + (_t63 & 0x00000007) * 4 - 0x3c);
						asm("ror edi, 0x16");
						asm("ror ebx, 0xd");
						asm("ror ebx, 0x2");
						_t67 = _t87 - 2; // 0xfa
						_v16 = _t171;
						 *_t123 =  *_t123 + ( *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c)) + ( *(_t183 + (_t67 & 0x00000007) * 4 - 0x3c) & (_t171 |  *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c)) | _v16 &  *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c));
						_t114 = _v20 + 1;
						_t130 = _v24 + 4;
						_t87 = _t87 - 1;
						_t75 =  &_v28;
						 *_t75 = _v28 - 1;
						_v20 = _t114;
						_v24 = _t130;
					} while ( *_t75 != 0);
					_v8 = _v8 + 0x10;
				} while (_v8 < 0x40);
				_t88 = _a4;
				_t144 = 8;
				_t129 =  &_v64 - _t88;
				do {
					 *_t88 =  *_t88 +  *((intOrPtr*)(_t129 + _t88));
					_t88 = _t88 + 4;
					_t144 = _t144 - 1;
				} while (_t144 != 0);
				return _t88;
			}
























                                                            0x0040f94f
                                                            0x0040f95a
                                                            0x0040f965
                                                            0x0040f969
                                                            0x0040f96e
                                                            0x0040f971
                                                            0x0040f97b
                                                            0x0040f97e
                                                            0x0040f97f
                                                            0x0040f982
                                                            0x0040f985
                                                            0x0040f98c
                                                            0x0040f990
                                                            0x0040f9ec
                                                            0x0040f9ef
                                                            0x0040f992
                                                            0x0040f992
                                                            0x0040f9a5
                                                            0x0040f9a8
                                                            0x0040f9b4
                                                            0x0040f9b9
                                                            0x0040f9c5
                                                            0x0040f9ca
                                                            0x0040f9e0
                                                            0x0040f9e3
                                                            0x0040f9e5
                                                            0x0040f9e5
                                                            0x0040f9f1
                                                            0x0040fa01
                                                            0x0040fa0b
                                                            0x0040fa11
                                                            0x0040fa14
                                                            0x0040fa1b
                                                            0x0040fa23
                                                            0x0040fa3a
                                                            0x0040fa3e
                                                            0x0040fa42
                                                            0x0040fa4c
                                                            0x0040fa4e
                                                            0x0040fa58
                                                            0x0040fa5c
                                                            0x0040fa62
                                                            0x0040fa68
                                                            0x0040fa6d
                                                            0x0040fa74
                                                            0x0040fa79
                                                            0x0040fa83
                                                            0x0040fa96
                                                            0x0040fa9b
                                                            0x0040fa9c
                                                            0x0040fa9f
                                                            0x0040faa0
                                                            0x0040faa0
                                                            0x0040faa3
                                                            0x0040faa6
                                                            0x0040faa6
                                                            0x0040faaf
                                                            0x0040fab3
                                                            0x0040fabd
                                                            0x0040fac5
                                                            0x0040fac6
                                                            0x0040fac9
                                                            0x0040facc
                                                            0x0040face
                                                            0x0040fad1
                                                            0x0040fad1
                                                            0x0040fad7

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 87d56cd6be4157368c5d66f6abcfc78e7b74221c1421a602161ec958c702e92e
                                                            • Instruction ID: cb0a4cd02ad45149a2b8ae115c8f8f0a59dbe70f5b8a0e844d152124576e4919
                                                            • Opcode Fuzzy Hash: 87d56cd6be4157368c5d66f6abcfc78e7b74221c1421a602161ec958c702e92e
                                                            • Instruction Fuzzy Hash: 02516EB3D003199FCB14CFD5D8846DDB3B2EF88318F6A8169D9257B651D7702A46CB84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040EE50, Relevance: .5, Instructions: 501COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040EE50(signed int* __eax, signed char* _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int* _t243;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				unsigned int _t257;
				void* _t259;
				void* _t260;
				signed int _t261;
				void* _t268;
				void* _t269;
				signed int _t270;
				signed char* _t276;
				signed int _t280;
				signed char* _t281;
				signed int _t283;
				signed char* _t284;
				signed char* _t286;
				signed char* _t291;
				signed char* _t293;
				void* _t298;
				signed char* _t300;
				signed char* _t302;
				signed char* _t304;
				signed int _t311;
				signed int _t315;
				signed char* _t316;
				signed int _t318;
				void* _t319;
				unsigned int _t337;
				signed int _t342;
				signed short* _t346;
				signed short* _t347;
				unsigned int _t353;
				signed char _t356;
				void* _t357;
				void* _t358;
				signed int _t363;
				signed int _t380;
				void* _t381;
				signed int _t385;
				unsigned int _t391;
				signed char* _t392;
				void* _t395;
				void* _t396;
				signed char* _t397;
				signed int _t405;
				unsigned int _t408;
				signed char* _t409;
				signed int _t411;
				void* _t416;
				signed int _t431;
				void* _t433;
				signed int _t434;
				signed int _t435;
				signed int _t442;
				signed int _t461;
				signed int _t462;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				unsigned int _t476;
				signed int _t477;
				unsigned int _t478;

				_t243 = __eax;
				_v8 = __eax[8];
				_a8 =  &(_a4[_a8]);
				_t318 = __eax[4];
				_t470 = __eax[7];
				_t435 = __eax[0xd];
				_t405 = (1 << __eax[2]) - 0x00000001 & __eax[0xb];
				_v12 = _t318;
				_v24 =  *(_t318 + ((_t435 << 4) + 1) * 2) & 0x0000ffff;
				if(_t470 >= 0x1000000) {
					L4:
					_t337 = (_t470 >> 0xb) * _v24;
					if(_v8 >= _t337) {
						_v8 = _v8 - _t337;
						_t471 = _t470 - _t337;
						_t319 = 0x1000000;
						if(_t471 >= 0x1000000) {
							L35:
							_t246 = (_t471 >> 0xb) * ( *(_v12 + 0x180 + _t435 * 2) & 0x0000ffff);
							if(_v8 >= _t246) {
								_v8 = _v8 - _t246;
								_t472 = _t471 - _t246;
								_v20 = 3;
								if(_t472 >= _t319) {
									L40:
									_t342 = (_t472 >> 0xb) * ( *(_v12 + 0x198 + _t435 * 2) & 0x0000ffff);
									if(_v8 >= _t342) {
										_v8 = _v8 - _t342;
										_t473 = _t472 - _t342;
										if(_t473 >= _t319) {
											L51:
											_t251 = (_t473 >> 0xb) * ( *(_v12 + 0x1b0 + _t435 * 2) & 0x0000ffff);
											if(_v8 < _t251) {
												L56:
												_t474 = _t251;
												L58:
												_v28 = 0xc;
												_t346 = _v12 + 0xa68;
												L59:
												if(_t474 >= _t319) {
													L62:
													_t254 = (_t474 >> 0xb) * ( *_t346 & 0x0000ffff);
													if(_v8 >= _t254) {
														_v8 = _v8 - _t254;
														_t475 = _t474 - _t254;
														if(_t475 >= _t319) {
															L67:
															_t257 = (_t475 >> 0xb) * (_t346[1] & 0x0000ffff);
															if(_v8 >= _t257) {
																_v8 = _v8 - _t257;
																_t476 = _t475 - _t257;
																_t347 =  &(_t346[0x102]);
																_v24 = 0x10;
																_v16 = 0x100;
															} else {
																_t476 = _t257;
																_t283 = 8;
																_t347 =  &(_t346[0x82]) + (_t405 << 4);
																_v24 = _t283;
																_v16 = _t283;
															}
															L70:
															_t259 = 1;
															do {
																_t260 = _t259 + _t259;
																if(_t476 >= _t319) {
																	goto L74;
																}
																_t409 = _a4;
																if(_t409 >= _a8) {
																	L2:
																	return 0;
																}
																_t476 = _t476 << 8;
																_a4 =  &(_a4[1]);
																_v8 = _v8 << 0x00000008 |  *_t409 & 0x000000ff;
																L74:
																_t408 = (_t476 >> 0xb) * ( *(_t260 + _t347) & 0x0000ffff);
																if(_v8 >= _t408) {
																	_v8 = _v8 - _t408;
																	_t476 = _t476 - _t408;
																	_t259 = _t260 + 1;
																} else {
																	_t476 = _t408;
																}
															} while (_t259 < _v16);
															_t261 = _t259 + _v24 - _v16;
															if(_v28 >= 4) {
																L106:
																if(_t476 >= _t319 || _a4 < _a8) {
																	return _v20;
																} else {
																	goto L2;
																}
															}
															if(_t261 >= 4) {
																_t261 = 3;
															}
															_t442 = _v12;
															_v16 = (_t261 << 7) + _t442 + 0x360;
															_t268 = 1;
															do {
																_t269 = _t268 + _t268;
																_t411 =  *(_t269 + _v16) & 0x0000ffff;
																if(_t476 >= _t319) {
																	goto L85;
																}
																if(_a4 >= _a8) {
																	goto L2;
																}
																_t442 = _v12;
																_t476 = _t476 << 8;
																_a4 =  &(_a4[1]);
																_v8 = _v8 << 0x00000008 |  *_a4 & 0x000000ff;
																L85:
																_t353 = (_t476 >> 0xb) * _t411;
																if(_v8 >= _t353) {
																	_v8 = _v8 - _t353;
																	_t476 = _t476 - _t353;
																	_t268 = _t269 + 1;
																} else {
																	_t476 = _t353;
																}
															} while (_t268 < 0x40);
															_t270 = _t268 - 0x40;
															if(_t270 < 4) {
																goto L106;
															}
															_t356 = (_t270 >> 1) - 1;
															_v24 = _t356;
															if(_t270 >= 0xe) {
																_t357 = _t356 - 4;
																do {
																	if(_t476 >= _t319) {
																		goto L96;
																	}
																	_t276 = _a4;
																	if(_t276 >= _a8) {
																		goto L2;
																	}
																	_t476 = _t476 << 8;
																	_a4 =  &(_a4[1]);
																	_v8 = _v8 << 0x00000008 |  *_t276 & 0x000000ff;
																	L96:
																	_t476 = _t476 >> 1;
																	_v8 = _v8 - ((_v8 - _t476 >> 0x0000001f) - 0x00000001 & _t476);
																	_t357 = _t357 - 1;
																} while (_t357 != 0);
																_t226 = _t442 + 0x644; // 0x644
																_t358 = _t226;
																_v24 = 4;
																L98:
																_t416 = 1;
																do {
																	_t416 = _t416 + _t416;
																	if(_t476 >= _t319) {
																		goto L102;
																	}
																	_t281 = _a4;
																	if(_t281 >= _a8) {
																		goto L2;
																	}
																	_t476 = _t476 << 8;
																	_a4 =  &(_a4[1]);
																	_v8 = _v8 << 0x00000008 |  *_t281 & 0x000000ff;
																	L102:
																	_t280 = (_t476 >> 0xb) * ( *(_t416 + _t358) & 0x0000ffff);
																	if(_v8 >= _t280) {
																		_v8 = _v8 - _t280;
																		_t476 = _t476 - _t280;
																		_t416 = _t416 + 1;
																	} else {
																		_t476 = _t280;
																	}
																	_t238 =  &_v24;
																	 *_t238 = _v24 - 1;
																} while ( *_t238 != 0);
																goto L106;
															}
															_t215 = (((_t270 & 0x00000001 | 0x00000002) << _t356) - _t270) * 2; // 0x55e
															_t358 = _t442 + _t215 + 0x55e;
															goto L98;
														}
														_t284 = _a4;
														if(_t284 >= _a8) {
															goto L2;
														}
														_t475 = _t475 << 8;
														_a4 =  &(_a4[1]);
														_v8 = _v8 << 0x00000008 |  *_t284 & 0x000000ff;
														goto L67;
													}
													_v24 = _v24 & 0x00000000;
													_t476 = _t254;
													_t347 =  &(_t346[2]) + (_t405 << 4);
													_v16 = 8;
													goto L70;
												}
												_t286 = _a4;
												if(_t286 >= _a8) {
													goto L2;
												}
												_t474 = _t474 << 8;
												_a4 =  &(_a4[1]);
												_v8 = _v8 << 0x00000008 |  *_t286 & 0x000000ff;
												goto L62;
											}
											_v8 = _v8 - _t251;
											_t477 = _t473 - _t251;
											_t363 =  *(_v12 + 0x1c8 + _t435 * 2) & 0x0000ffff;
											if(_t477 >= _t319) {
												L55:
												_t251 = (_t477 >> 0xb) * _t363;
												if(_v8 >= _t251) {
													L57:
													_t474 = _t477 - _t251;
													_v8 = _v8 - _t251;
													goto L58;
												}
												goto L56;
											}
											_t291 = _a4;
											if(_t291 >= _a8) {
												goto L2;
											}
											_t477 = _t477 << 8;
											_a4 =  &(_a4[1]);
											_v8 = _v8 << 0x00000008 |  *_t291 & 0x000000ff;
											goto L55;
										}
										_t293 = _a4;
										if(_t293 >= _a8) {
											goto L2;
										}
										_t473 = _t473 << 8;
										_a4 =  &(_a4[1]);
										_v8 = _v8 << 0x00000008 |  *_t293 & 0x000000ff;
										goto L51;
									}
									_t461 =  *(_v12 + ((_t435 + 0xf << 4) + _t405) * 2) & 0x0000ffff;
									_t477 = _t342;
									if(_t342 >= _t319) {
										L44:
										_t251 = (_t477 >> 0xb) * _t461;
										if(_v8 >= _t251) {
											goto L57;
										}
										if(_t251 >= _t319 || _a4 < _a8) {
											_t298 = 3;
											return _t298;
										} else {
											goto L2;
										}
									}
									_t300 = _a4;
									if(_t300 >= _a8) {
										goto L2;
									}
									_t477 = _t342 << 8;
									_a4 =  &(_a4[1]);
									_v8 = _v8 << 0x00000008 |  *_t300 & 0x000000ff;
									goto L44;
								}
								_t302 = _a4;
								if(_t302 >= _a8) {
									goto L2;
								}
								_t472 = _t472 << 8;
								_a4 =  &(_a4[1]);
								_v8 = _v8 << 0x00000008 |  *_t302 & 0x000000ff;
								goto L40;
							}
							_v28 = _v28 & 0x00000000;
							_t474 = _t246;
							_t346 = _v12 + 0x664;
							_v20 = 2;
							goto L59;
						}
						_t304 = _a4;
						if(_t304 >= _a8) {
							goto L2;
						}
						_t471 = _t471 << 8;
						_a4 =  &(_a4[1]);
						_v8 = _v8 << 0x00000008 |  *_t304 & 0x000000ff;
						goto L35;
					}
					_t478 = _t337;
					_v16 = _v12 + 0xe6c;
					if(_t243[0xc] != 0 || _t243[0xb] != 0) {
						_t380 = _t243[9];
						if(_t380 == 0) {
							_t380 = _t243[0xa];
						}
						_t381 = 8;
						_v16 = _v16 + ((( *(_t243[5] + _t380 - 1) & 0x000000ff) >> _t381 -  *_t243) + (((1 << _t243[1]) - 0x00000001 & _t243[0xb]) <<  *_t243)) * 0x600;
					}
					if(_t435 >= 7) {
						_t431 = _t243[9];
						_t462 = _t243[0xe];
						if(_t431 >= _t462) {
							_t385 = 0;
						} else {
							_t385 = _t243[0xa];
						}
						_v20 =  *(_t243[5] - _t462 + _t431 + _t385) & 0x000000ff;
						_v12 = 0x100;
						_t433 = 1;
						_t319 = 0x1000000;
						do {
							_v20 = _v20 << 1;
							_t311 = _v12 & _v20;
							_v24 =  *(_v16 + (_t311 + _t433 + _v12) * 2) & 0x0000ffff;
							if(_t478 >= _t319) {
								goto L27;
							}
							_t392 = _a4;
							if(_t392 >= _a8) {
								goto L2;
							}
							_t478 = _t478 << 8;
							_a4 =  &(_a4[1]);
							_v8 = _v8 << 0x00000008 |  *_t392 & 0x000000ff;
							L27:
							_t391 = (_t478 >> 0xb) * _v24;
							if(_v8 >= _t391) {
								_t478 = _t478 - _t391;
								_v8 = _v8 - _t391;
								_t433 = _t433 + _t433 + 1;
							} else {
								_t478 = _t391;
								_t433 = _t433 + _t433;
								_t311 =  !_t311;
							}
							_v12 = _v12 & _t311;
						} while (_t433 < 0x100);
						goto L31;
					} else {
						_t395 = 1;
						_t319 = 0x1000000;
						do {
							_t396 = _t395 + _t395;
							_t434 =  *(_t396 + _v16) & 0x0000ffff;
							if(_t478 >= _t319) {
								goto L15;
							}
							_t316 = _a4;
							if(_t316 >= _a8) {
								goto L2;
							}
							_t478 = _t478 << 8;
							_a4 =  &(_a4[1]);
							_v8 = _v8 << 0x00000008 |  *_t316 & 0x000000ff;
							L15:
							_t315 = (_t478 >> 0xb) * _t434;
							if(_v8 >= _t315) {
								_v8 = _v8 - _t315;
								_t478 = _t478 - _t315;
								_t395 = _t396 + 1;
							} else {
								_t478 = _t315;
							}
						} while (_t395 < 0x100);
						L31:
						_v20 = 1;
						goto L106;
					}
				}
				_t397 = _a4;
				if(_t397 < _a8) {
					_t470 = _t470 << 8;
					_a4 =  &(_a4[1]);
					_v8 = _v8 << 0x00000008 |  *_t397 & 0x000000ff;
					goto L4;
				}
				goto L2;
			}











































































                                                            0x0040ee50
                                                            0x0040ee5c
                                                            0x0040ee67
                                                            0x0040ee70
                                                            0x0040ee74
                                                            0x0040ee78
                                                            0x0040ee7c
                                                            0x0040ee8a
                                                            0x0040ee8d
                                                            0x0040ee96
                                                            0x0040eebb
                                                            0x0040eec0
                                                            0x0040eec7
                                                            0x0040f01c
                                                            0x0040f01f
                                                            0x0040f021
                                                            0x0040f028
                                                            0x0040f04a
                                                            0x0040f05a
                                                            0x0040f060
                                                            0x0040f07d
                                                            0x0040f080
                                                            0x0040f082
                                                            0x0040f08b
                                                            0x0040f0ad
                                                            0x0040f0bd
                                                            0x0040f0c3
                                                            0x0040f125
                                                            0x0040f128
                                                            0x0040f12c
                                                            0x0040f14e
                                                            0x0040f15e
                                                            0x0040f164
                                                            0x0040f1a7
                                                            0x0040f1a7
                                                            0x0040f1b0
                                                            0x0040f1b3
                                                            0x0040f1ba
                                                            0x0040f1c0
                                                            0x0040f1c2
                                                            0x0040f1e4
                                                            0x0040f1ec
                                                            0x0040f1f2
                                                            0x0040f20a
                                                            0x0040f20d
                                                            0x0040f211
                                                            0x0040f233
                                                            0x0040f23c
                                                            0x0040f242
                                                            0x0040f25b
                                                            0x0040f25e
                                                            0x0040f260
                                                            0x0040f266
                                                            0x0040f26d
                                                            0x0040f244
                                                            0x0040f246
                                                            0x0040f248
                                                            0x0040f24c
                                                            0x0040f253
                                                            0x0040f256
                                                            0x0040f256
                                                            0x0040f274
                                                            0x0040f276
                                                            0x0040f277
                                                            0x0040f277
                                                            0x0040f27b
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f27d
                                                            0x0040f283
                                                            0x0040eea0
                                                            0x00000000
                                                            0x0040eea0
                                                            0x0040f294
                                                            0x0040f297
                                                            0x0040f29a
                                                            0x0040f29d
                                                            0x0040f2a6
                                                            0x0040f2ac
                                                            0x0040f2b2
                                                            0x0040f2b5
                                                            0x0040f2b7
                                                            0x0040f2ae
                                                            0x0040f2ae
                                                            0x0040f2ae
                                                            0x0040f2b8
                                                            0x0040f2c3
                                                            0x0040f2c9
                                                            0x0040f3f7
                                                            0x0040f3f9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f3f9
                                                            0x0040f2d2
                                                            0x0040f2d6
                                                            0x0040f2d6
                                                            0x0040f2d7
                                                            0x0040f2e4
                                                            0x0040f2e9
                                                            0x0040f2ea
                                                            0x0040f2ed
                                                            0x0040f2ef
                                                            0x0040f2f5
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f2fd
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f311
                                                            0x0040f314
                                                            0x0040f317
                                                            0x0040f31a
                                                            0x0040f31d
                                                            0x0040f322
                                                            0x0040f328
                                                            0x0040f32e
                                                            0x0040f331
                                                            0x0040f333
                                                            0x0040f32a
                                                            0x0040f32a
                                                            0x0040f32a
                                                            0x0040f334
                                                            0x0040f339
                                                            0x0040f33f
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f349
                                                            0x0040f34a
                                                            0x0040f350
                                                            0x0040f367
                                                            0x0040f36a
                                                            0x0040f36c
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f36e
                                                            0x0040f374
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f385
                                                            0x0040f388
                                                            0x0040f38b
                                                            0x0040f38e
                                                            0x0040f391
                                                            0x0040f39b
                                                            0x0040f39e
                                                            0x0040f39e
                                                            0x0040f3a1
                                                            0x0040f3a1
                                                            0x0040f3a7
                                                            0x0040f3ae
                                                            0x0040f3b0
                                                            0x0040f3b1
                                                            0x0040f3b1
                                                            0x0040f3b5
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f3b7
                                                            0x0040f3bd
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f3ce
                                                            0x0040f3d1
                                                            0x0040f3d4
                                                            0x0040f3d7
                                                            0x0040f3e0
                                                            0x0040f3e6
                                                            0x0040f3ec
                                                            0x0040f3ef
                                                            0x0040f3f1
                                                            0x0040f3e8
                                                            0x0040f3e8
                                                            0x0040f3e8
                                                            0x0040f3f2
                                                            0x0040f3f2
                                                            0x0040f3f2
                                                            0x00000000
                                                            0x0040f3b1
                                                            0x0040f35e
                                                            0x0040f35e
                                                            0x00000000
                                                            0x0040f35e
                                                            0x0040f213
                                                            0x0040f219
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f22a
                                                            0x0040f22d
                                                            0x0040f230
                                                            0x00000000
                                                            0x0040f230
                                                            0x0040f1f7
                                                            0x0040f1fb
                                                            0x0040f1fd
                                                            0x0040f201
                                                            0x00000000
                                                            0x0040f201
                                                            0x0040f1c4
                                                            0x0040f1ca
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f1db
                                                            0x0040f1de
                                                            0x0040f1e1
                                                            0x00000000
                                                            0x0040f1e1
                                                            0x0040f166
                                                            0x0040f169
                                                            0x0040f16e
                                                            0x0040f178
                                                            0x0040f19a
                                                            0x0040f19f
                                                            0x0040f1a5
                                                            0x0040f1ab
                                                            0x0040f1ab
                                                            0x0040f1ad
                                                            0x00000000
                                                            0x0040f1ad
                                                            0x00000000
                                                            0x0040f1a5
                                                            0x0040f17a
                                                            0x0040f180
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f191
                                                            0x0040f194
                                                            0x0040f197
                                                            0x00000000
                                                            0x0040f197
                                                            0x0040f12e
                                                            0x0040f134
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f145
                                                            0x0040f148
                                                            0x0040f14b
                                                            0x00000000
                                                            0x0040f14b
                                                            0x0040f0d0
                                                            0x0040f0d4
                                                            0x0040f0d8
                                                            0x0040f0fc
                                                            0x0040f101
                                                            0x0040f107
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f10f
                                                            0x0040f11f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f10f
                                                            0x0040f0da
                                                            0x0040f0e0
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f0ec
                                                            0x0040f0f6
                                                            0x0040f0f9
                                                            0x00000000
                                                            0x0040f0f9
                                                            0x0040f08d
                                                            0x0040f093
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f0a4
                                                            0x0040f0a7
                                                            0x0040f0aa
                                                            0x00000000
                                                            0x0040f0aa
                                                            0x0040f065
                                                            0x0040f069
                                                            0x0040f06b
                                                            0x0040f071
                                                            0x00000000
                                                            0x0040f071
                                                            0x0040f02a
                                                            0x0040f030
                                                            0x00000000
                                                            0x00000000
                                                            0x0040f041
                                                            0x0040f044
                                                            0x0040f047
                                                            0x00000000
                                                            0x0040f047
                                                            0x0040eecd
                                                            0x0040eedc
                                                            0x0040eedf
                                                            0x0040eee7
                                                            0x0040eeec
                                                            0x0040eeee
                                                            0x0040eeee
                                                            0x0040eefd
                                                            0x0040ef1a
                                                            0x0040ef1a
                                                            0x0040ef20
                                                            0x0040ef7b
                                                            0x0040ef7e
                                                            0x0040ef83
                                                            0x0040ef8a
                                                            0x0040ef85
                                                            0x0040ef85
                                                            0x0040ef85
                                                            0x0040ef99
                                                            0x0040ef9c
                                                            0x0040efa3
                                                            0x0040efa4
                                                            0x0040efa9
                                                            0x0040efa9
                                                            0x0040efaf
                                                            0x0040efbf
                                                            0x0040efc4
                                                            0x00000000
                                                            0x00000000
                                                            0x0040efc6
                                                            0x0040efcc
                                                            0x00000000
                                                            0x00000000
                                                            0x0040efdd
                                                            0x0040efe0
                                                            0x0040efe3
                                                            0x0040efe6
                                                            0x0040efeb
                                                            0x0040eff2
                                                            0x0040effc
                                                            0x0040effe
                                                            0x0040f001
                                                            0x0040eff4
                                                            0x0040eff4
                                                            0x0040eff6
                                                            0x0040eff8
                                                            0x0040eff8
                                                            0x0040f005
                                                            0x0040f008
                                                            0x00000000
                                                            0x0040ef22
                                                            0x0040ef24
                                                            0x0040ef25
                                                            0x0040ef2a
                                                            0x0040ef2d
                                                            0x0040ef2f
                                                            0x0040ef35
                                                            0x00000000
                                                            0x00000000
                                                            0x0040ef37
                                                            0x0040ef3d
                                                            0x00000000
                                                            0x00000000
                                                            0x0040ef4e
                                                            0x0040ef51
                                                            0x0040ef54
                                                            0x0040ef57
                                                            0x0040ef5c
                                                            0x0040ef62
                                                            0x0040ef68
                                                            0x0040ef6b
                                                            0x0040ef6d
                                                            0x0040ef64
                                                            0x0040ef64
                                                            0x0040ef64
                                                            0x0040ef6e
                                                            0x0040f010
                                                            0x0040f010
                                                            0x00000000
                                                            0x0040f010
                                                            0x0040ef20
                                                            0x0040ee98
                                                            0x0040ee9e
                                                            0x0040eeb2
                                                            0x0040eeb5
                                                            0x0040eeb8
                                                            0x00000000
                                                            0x0040eeb8
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23632c936667db84b4985c6fb5177f9679dbdd5064871ff45c40afa9e7e0a2cb
                                                            • Instruction ID: e96d94f9f021feee69bd0f16c8b626058d6116cb84d32cf07f2a7404c6f20ea9
                                                            • Opcode Fuzzy Hash: 23632c936667db84b4985c6fb5177f9679dbdd5064871ff45c40afa9e7e0a2cb
                                                            • Instruction Fuzzy Hash: B812AF31D00129DFCB18CF69C6905ACBBB2EF85345F2585BED856BB680D3389E85DB84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00416135, Relevance: .4, Instructions: 384COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00416135(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

































                                                            0x00416135
                                                            0x00416135
                                                            0x0041613b
                                                            0x004161bb
                                                            0x004161bd
                                                            0x004161bf
                                                            0x00000000
                                                            0x00000000
                                                            0x004161c5
                                                            0x004161cb
                                                            0x0041624a
                                                            0x0041624c
                                                            0x0041624e
                                                            0x00000000
                                                            0x00000000
                                                            0x00416254
                                                            0x0041625a
                                                            0x004162d9
                                                            0x004162db
                                                            0x004162dd
                                                            0x00000000
                                                            0x00000000
                                                            0x004162e3
                                                            0x004162e9
                                                            0x00416368
                                                            0x0041636a
                                                            0x0041636c
                                                            0x00000000
                                                            0x00000000
                                                            0x00416378
                                                            0x004163f8
                                                            0x004163fa
                                                            0x004163fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00416402
                                                            0x00416408
                                                            0x00416487
                                                            0x00416489
                                                            0x0041648b
                                                            0x00000000
                                                            0x00000000
                                                            0x00416491
                                                            0x00416497
                                                            0x00416516
                                                            0x00416518
                                                            0x0041651a
                                                            0x00000000
                                                            0x00000000
                                                            0x00416528
                                                            0x0041652a
                                                            0x0041610d
                                                            0x00416115
                                                            0x00416117
                                                            0x00415cf3
                                                            0x00415cfb
                                                            0x00415cfd
                                                            0x00415d0e
                                                            0x00415d0e
                                                            0x00415903
                                                            0x0041665f
                                                            0x0041665f
                                                            0x00416124
                                                            0x0041612a
                                                            0x00416543
                                                            0x00416543
                                                            0x00000000
                                                            0x00416130
                                                            0x00000000
                                                            0x00416130
                                                            0x0041612a
                                                            0x00416537
                                                            0x0041653d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041653d
                                                            0x004164a0
                                                            0x004164a2
                                                            0x004164b9
                                                            0x004164c1
                                                            0x004164c3
                                                            0x004164da
                                                            0x004164e2
                                                            0x004164e4
                                                            0x004164fb
                                                            0x00416503
                                                            0x00416505
                                                            0x00416512
                                                            0x00416512
                                                            0x00000000
                                                            0x00416505
                                                            0x004164f1
                                                            0x004164f5
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004164f5
                                                            0x004164d0
                                                            0x004164d4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004164d4
                                                            0x004164af
                                                            0x004164b3
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004164b3
                                                            0x00416411
                                                            0x00416413
                                                            0x0041642a
                                                            0x00416432
                                                            0x00416434
                                                            0x0041644b
                                                            0x00416453
                                                            0x00416455
                                                            0x0041646c
                                                            0x00416474
                                                            0x00416476
                                                            0x00416483
                                                            0x00416483
                                                            0x00000000
                                                            0x00416476
                                                            0x00416462
                                                            0x00416466
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416466
                                                            0x00416441
                                                            0x00416445
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416445
                                                            0x00416420
                                                            0x00416424
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416424
                                                            0x00416382
                                                            0x00416384
                                                            0x0041639b
                                                            0x004163a3
                                                            0x004163a5
                                                            0x004163bc
                                                            0x004163c4
                                                            0x004163c6
                                                            0x004163dd
                                                            0x004163e5
                                                            0x004163e7
                                                            0x004163f4
                                                            0x004163f4
                                                            0x00000000
                                                            0x004163e7
                                                            0x004163d3
                                                            0x004163d7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004163d7
                                                            0x004163b2
                                                            0x004163b6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004163b6
                                                            0x00416391
                                                            0x00416395
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416395
                                                            0x004162f2
                                                            0x004162f4
                                                            0x0041630b
                                                            0x00416313
                                                            0x00416315
                                                            0x0041632c
                                                            0x00416334
                                                            0x00416336
                                                            0x0041634d
                                                            0x00416355
                                                            0x00416357
                                                            0x00416364
                                                            0x00416364
                                                            0x00000000
                                                            0x00416357
                                                            0x00416343
                                                            0x00416347
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416347
                                                            0x00416322
                                                            0x00416326
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416326
                                                            0x00416301
                                                            0x00416305
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416305
                                                            0x00416263
                                                            0x00416265
                                                            0x0041627c
                                                            0x00416284
                                                            0x00416286
                                                            0x0041629d
                                                            0x004162a5
                                                            0x004162a7
                                                            0x004162be
                                                            0x004162c6
                                                            0x004162c8
                                                            0x004162d5
                                                            0x004162d5
                                                            0x00000000
                                                            0x004162c8
                                                            0x004162b4
                                                            0x004162b8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004162b8
                                                            0x00416293
                                                            0x00416297
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416297
                                                            0x00416272
                                                            0x00416276
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416276
                                                            0x004161d4
                                                            0x004161d6
                                                            0x004161ed
                                                            0x004161f5
                                                            0x004161f7
                                                            0x0041620e
                                                            0x00416216
                                                            0x00416218
                                                            0x0041622f
                                                            0x00416237
                                                            0x00416239
                                                            0x00416246
                                                            0x00416246
                                                            0x00000000
                                                            0x00416239
                                                            0x00416225
                                                            0x00416229
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416229
                                                            0x00416204
                                                            0x00416208
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416208
                                                            0x004161e3
                                                            0x004161e7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041613d
                                                            0x0041613d
                                                            0x00416141
                                                            0x00416145
                                                            0x00416147
                                                            0x0041615e
                                                            0x0041615e
                                                            0x00416162
                                                            0x00416166
                                                            0x00416168
                                                            0x0041617f
                                                            0x0041617f
                                                            0x00416183
                                                            0x00416187
                                                            0x00416189
                                                            0x004161a0
                                                            0x004161a0
                                                            0x004161a4
                                                            0x004161a8
                                                            0x004161aa
                                                            0x004161b0
                                                            0x004161b3
                                                            0x004161b7
                                                            0x004161b7
                                                            0x00000000
                                                            0x004161aa
                                                            0x0041618f
                                                            0x00416192
                                                            0x00416196
                                                            0x0041619a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041619a
                                                            0x0041616e
                                                            0x00416171
                                                            0x00416175
                                                            0x00416179
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416179
                                                            0x0041614d
                                                            0x00416150
                                                            0x00416154
                                                            0x00416158
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416158
                                                            0x0041552e
                                                            0x0041552e
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                            • Instruction ID: 8345204ae003dfb015fc851f0818e3b3c6fff625dc7de4c686bcf5d3db8f6dee
                                                            • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                            • Instruction Fuzzy Hash: 42D16E73C0A9B38A8735812D50681BBEE636FD165131FC3E2DCE42F38D922A9D9196D4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00415D15, Relevance: .4, Instructions: 378COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00415D15(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}
































                                                            0x00415d15
                                                            0x00415d15
                                                            0x00415d1b
                                                            0x00415d9a
                                                            0x00415d9c
                                                            0x00415d9e
                                                            0x00000000
                                                            0x00000000
                                                            0x00415da4
                                                            0x00415daa
                                                            0x00415e29
                                                            0x00415e2b
                                                            0x00415e2d
                                                            0x00000000
                                                            0x00000000
                                                            0x00415e33
                                                            0x00415e39
                                                            0x00415eb8
                                                            0x00415eba
                                                            0x00415ebc
                                                            0x00000000
                                                            0x00000000
                                                            0x00415ec2
                                                            0x00415ec8
                                                            0x00415f47
                                                            0x00415f49
                                                            0x00415f4b
                                                            0x00000000
                                                            0x00000000
                                                            0x00415f51
                                                            0x00415f57
                                                            0x00415fd6
                                                            0x00415fd8
                                                            0x00415fda
                                                            0x00000000
                                                            0x00000000
                                                            0x00415fe6
                                                            0x00416066
                                                            0x00416068
                                                            0x0041606a
                                                            0x00000000
                                                            0x00000000
                                                            0x00416070
                                                            0x00416076
                                                            0x004160f5
                                                            0x004160f7
                                                            0x004160f9
                                                            0x00000000
                                                            0x00000000
                                                            0x00416107
                                                            0x00415901
                                                            0x00415903
                                                            0x0041665f
                                                            0x0041665f
                                                            0x00416115
                                                            0x00416117
                                                            0x00415cf3
                                                            0x00415cfb
                                                            0x00415cfd
                                                            0x00415d0e
                                                            0x00415d0e
                                                            0x00000000
                                                            0x00415cfd
                                                            0x00416124
                                                            0x0041612a
                                                            0x00416543
                                                            0x00000000
                                                            0x00416543
                                                            0x00000000
                                                            0x00416130
                                                            0x0041607f
                                                            0x00416081
                                                            0x00416098
                                                            0x004160a0
                                                            0x004160a2
                                                            0x004160b9
                                                            0x004160c1
                                                            0x004160c3
                                                            0x004160da
                                                            0x004160e2
                                                            0x004160e4
                                                            0x004160f1
                                                            0x004160f1
                                                            0x00000000
                                                            0x004160e4
                                                            0x004160d0
                                                            0x004160d4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004160d4
                                                            0x004160af
                                                            0x004160b3
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004160b3
                                                            0x0041608e
                                                            0x00416092
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416092
                                                            0x00415ff0
                                                            0x00415ff2
                                                            0x00416009
                                                            0x00416011
                                                            0x00416013
                                                            0x0041602a
                                                            0x00416032
                                                            0x00416034
                                                            0x0041604b
                                                            0x00416053
                                                            0x00416055
                                                            0x00416062
                                                            0x00416062
                                                            0x00000000
                                                            0x00416055
                                                            0x00416041
                                                            0x00416045
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416045
                                                            0x00416020
                                                            0x00416024
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416024
                                                            0x00415fff
                                                            0x00416003
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00416003
                                                            0x00415f60
                                                            0x00415f62
                                                            0x00415f79
                                                            0x00415f81
                                                            0x00415f83
                                                            0x00415f9a
                                                            0x00415fa2
                                                            0x00415fa4
                                                            0x00415fbb
                                                            0x00415fc3
                                                            0x00415fc5
                                                            0x00415fd2
                                                            0x00415fd2
                                                            0x00000000
                                                            0x00415fc5
                                                            0x00415fb1
                                                            0x00415fb5
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415fb5
                                                            0x00415f90
                                                            0x00415f94
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415f94
                                                            0x00415f6f
                                                            0x00415f73
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415f73
                                                            0x00415ed1
                                                            0x00415ed3
                                                            0x00415eea
                                                            0x00415ef2
                                                            0x00415ef4
                                                            0x00415f0b
                                                            0x00415f13
                                                            0x00415f15
                                                            0x00415f2c
                                                            0x00415f34
                                                            0x00415f36
                                                            0x00415f43
                                                            0x00415f43
                                                            0x00000000
                                                            0x00415f36
                                                            0x00415f22
                                                            0x00415f26
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415f26
                                                            0x00415f01
                                                            0x00415f05
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415f05
                                                            0x00415ee0
                                                            0x00415ee4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415ee4
                                                            0x00415e42
                                                            0x00415e44
                                                            0x00415e5b
                                                            0x00415e63
                                                            0x00415e65
                                                            0x00415e7c
                                                            0x00415e84
                                                            0x00415e86
                                                            0x00415e9d
                                                            0x00415ea5
                                                            0x00415ea7
                                                            0x00415eb4
                                                            0x00415eb4
                                                            0x00000000
                                                            0x00415ea7
                                                            0x00415e93
                                                            0x00415e97
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415e97
                                                            0x00415e72
                                                            0x00415e76
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415e76
                                                            0x00415e51
                                                            0x00415e55
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415e55
                                                            0x00415db3
                                                            0x00415db5
                                                            0x00415dcc
                                                            0x00415dd4
                                                            0x00415dd6
                                                            0x00415ded
                                                            0x00415df5
                                                            0x00415df7
                                                            0x00415e0e
                                                            0x00415e16
                                                            0x00415e18
                                                            0x00415e25
                                                            0x00415e25
                                                            0x00000000
                                                            0x00415e18
                                                            0x00415e04
                                                            0x00415e08
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415e08
                                                            0x00415de3
                                                            0x00415de7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415de7
                                                            0x00415dc2
                                                            0x00415dc6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415d1d
                                                            0x00415d1d
                                                            0x00415d20
                                                            0x00415d24
                                                            0x00415d26
                                                            0x00415d3d
                                                            0x00415d3d
                                                            0x00415d41
                                                            0x00415d45
                                                            0x00415d47
                                                            0x00415d5e
                                                            0x00415d5e
                                                            0x00415d62
                                                            0x00415d66
                                                            0x00415d68
                                                            0x00415d7f
                                                            0x00415d7f
                                                            0x00415d83
                                                            0x00415d87
                                                            0x00415d89
                                                            0x00415d8f
                                                            0x00415d92
                                                            0x00415d96
                                                            0x00415d96
                                                            0x00000000
                                                            0x00415d89
                                                            0x00415d6e
                                                            0x00415d71
                                                            0x00415d75
                                                            0x00415d79
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415d79
                                                            0x00415d4d
                                                            0x00415d50
                                                            0x00415d54
                                                            0x00415d58
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415d58
                                                            0x00415d2c
                                                            0x00415d2f
                                                            0x00415d33
                                                            0x00415d37
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415d37
                                                            0x0041552e
                                                            0x0041552e
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                            • Instruction ID: 7f1d1b7dba172a90adad90693823d38eedfde463e86eb79e2711e55fff790ed3
                                                            • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                            • Instruction Fuzzy Hash: 07D17D73C0A9B38A8736812D50582BBEE636FD165031FC3E2CCD42F38DD62A9D8196D4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00415909, Relevance: .4, Instructions: 361COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00415909(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}






























                                                            0x00415909
                                                            0x00415909
                                                            0x0041590f
                                                            0x0041598e
                                                            0x00415990
                                                            0x00415992
                                                            0x00000000
                                                            0x00000000
                                                            0x00415998
                                                            0x0041599e
                                                            0x00415a1d
                                                            0x00415a1f
                                                            0x00415a21
                                                            0x00000000
                                                            0x00000000
                                                            0x00415a27
                                                            0x00415a2d
                                                            0x00415aac
                                                            0x00415aae
                                                            0x00415ab0
                                                            0x00000000
                                                            0x00000000
                                                            0x00415ab6
                                                            0x00415abc
                                                            0x00415b3b
                                                            0x00415b3d
                                                            0x00415b3f
                                                            0x00000000
                                                            0x00000000
                                                            0x00415b45
                                                            0x00415b4b
                                                            0x00415bca
                                                            0x00415bcc
                                                            0x00415bce
                                                            0x00000000
                                                            0x00000000
                                                            0x00415bda
                                                            0x00415c5a
                                                            0x00415c5c
                                                            0x00415c5e
                                                            0x00000000
                                                            0x00000000
                                                            0x00415c64
                                                            0x00415c6a
                                                            0x00415ce9
                                                            0x00415ceb
                                                            0x00415ced
                                                            0x00000000
                                                            0x00000000
                                                            0x00415cfb
                                                            0x00415cfd
                                                            0x00415d0e
                                                            0x00415d0e
                                                            0x00415903
                                                            0x0041665f
                                                            0x0041665f
                                                            0x00415c73
                                                            0x00415c75
                                                            0x00415c8c
                                                            0x00415c94
                                                            0x00415c96
                                                            0x00415cad
                                                            0x00415cb5
                                                            0x00415cb7
                                                            0x00415cce
                                                            0x00415cd6
                                                            0x00415cd8
                                                            0x00415ce5
                                                            0x00415ce5
                                                            0x00000000
                                                            0x00415cd8
                                                            0x00415cc4
                                                            0x00415cc8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415cc8
                                                            0x00415ca3
                                                            0x00415ca7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415ca7
                                                            0x00415c82
                                                            0x00415c86
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415c86
                                                            0x00415be4
                                                            0x00415be6
                                                            0x00415bfd
                                                            0x00415c05
                                                            0x00415c07
                                                            0x00415c1e
                                                            0x00415c26
                                                            0x00415c28
                                                            0x00415c3f
                                                            0x00415c47
                                                            0x00415c49
                                                            0x00415c56
                                                            0x00415c56
                                                            0x00000000
                                                            0x00415c49
                                                            0x00415c35
                                                            0x00415c39
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415c39
                                                            0x00415c14
                                                            0x00415c18
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415c18
                                                            0x00415bf3
                                                            0x00415bf7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415bf7
                                                            0x00415b54
                                                            0x00415b56
                                                            0x00415b6d
                                                            0x00415b75
                                                            0x00415b77
                                                            0x00415b8e
                                                            0x00415b96
                                                            0x00415b98
                                                            0x00415baf
                                                            0x00415bb7
                                                            0x00415bb9
                                                            0x00415bc6
                                                            0x00415bc6
                                                            0x00000000
                                                            0x00415bb9
                                                            0x00415ba5
                                                            0x00415ba9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415ba9
                                                            0x00415b84
                                                            0x00415b88
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415b88
                                                            0x00415b63
                                                            0x00415b67
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415b67
                                                            0x00415ac5
                                                            0x00415ac7
                                                            0x00415ade
                                                            0x00415ae6
                                                            0x00415ae8
                                                            0x00415aff
                                                            0x00415b07
                                                            0x00415b09
                                                            0x00415b20
                                                            0x00415b28
                                                            0x00415b2a
                                                            0x00415b37
                                                            0x00415b37
                                                            0x00000000
                                                            0x00415b2a
                                                            0x00415b16
                                                            0x00415b1a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415b1a
                                                            0x00415af5
                                                            0x00415af9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415af9
                                                            0x00415ad4
                                                            0x00415ad8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415ad8
                                                            0x00415a36
                                                            0x00415a38
                                                            0x00415a4f
                                                            0x00415a57
                                                            0x00415a59
                                                            0x00415a70
                                                            0x00415a78
                                                            0x00415a7a
                                                            0x00415a91
                                                            0x00415a99
                                                            0x00415a9b
                                                            0x00415aa8
                                                            0x00415aa8
                                                            0x00000000
                                                            0x00415a9b
                                                            0x00415a87
                                                            0x00415a8b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415a8b
                                                            0x00415a66
                                                            0x00415a6a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415a6a
                                                            0x00415a45
                                                            0x00415a49
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415a49
                                                            0x004159a7
                                                            0x004159a9
                                                            0x004159c0
                                                            0x004159c8
                                                            0x004159ca
                                                            0x004159e1
                                                            0x004159e9
                                                            0x004159eb
                                                            0x00415a02
                                                            0x00415a0a
                                                            0x00415a0c
                                                            0x00415a19
                                                            0x00415a19
                                                            0x00000000
                                                            0x00415a0c
                                                            0x004159f8
                                                            0x004159fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004159fc
                                                            0x004159d7
                                                            0x004159db
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004159db
                                                            0x004159b6
                                                            0x004159ba
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415911
                                                            0x00415911
                                                            0x00415914
                                                            0x00415918
                                                            0x0041591a
                                                            0x00415931
                                                            0x00415931
                                                            0x00415935
                                                            0x00415939
                                                            0x0041593b
                                                            0x00415952
                                                            0x00415952
                                                            0x00415956
                                                            0x0041595a
                                                            0x0041595c
                                                            0x00415973
                                                            0x00415973
                                                            0x00415977
                                                            0x0041597b
                                                            0x0041597d
                                                            0x00415983
                                                            0x00415986
                                                            0x0041598a
                                                            0x0041598a
                                                            0x00000000
                                                            0x0041597d
                                                            0x00415962
                                                            0x00415965
                                                            0x00415969
                                                            0x0041596d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041596d
                                                            0x00415941
                                                            0x00415944
                                                            0x00415948
                                                            0x0041594c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041594c
                                                            0x00415920
                                                            0x00415923
                                                            0x00415927
                                                            0x0041592b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041592b
                                                            0x0041552e
                                                            0x0041552e
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                            • Instruction ID: e46aa74bb020d9ebbc0fb3bbbf14fe3e865da12592543abdb7407e22bac6dcd0
                                                            • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                            • Instruction Fuzzy Hash: EDC16E73D1AEB38A8735812D50681FBEE636FD165031EC3E28CE43F38D912A9D8196D4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00415535, Relevance: .4, Instructions: 351COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00415535(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}































                                                            0x00415535
                                                            0x00415535
                                                            0x0041553b
                                                            0x004155ae
                                                            0x004155b0
                                                            0x004155b2
                                                            0x00000000
                                                            0x00000000
                                                            0x004155b8
                                                            0x004155be
                                                            0x0041563d
                                                            0x0041563f
                                                            0x00415641
                                                            0x00000000
                                                            0x00000000
                                                            0x00415647
                                                            0x0041564d
                                                            0x004156cc
                                                            0x004156ce
                                                            0x004156d0
                                                            0x00000000
                                                            0x00000000
                                                            0x004156d6
                                                            0x004156dc
                                                            0x0041575b
                                                            0x0041575d
                                                            0x0041575f
                                                            0x00000000
                                                            0x00000000
                                                            0x0041576b
                                                            0x004157eb
                                                            0x004157ed
                                                            0x004157ef
                                                            0x00000000
                                                            0x00000000
                                                            0x004157f5
                                                            0x004157fb
                                                            0x0041587a
                                                            0x0041587c
                                                            0x0041587e
                                                            0x00000000
                                                            0x00000000
                                                            0x00415884
                                                            0x0041588a
                                                            0x004158fb
                                                            0x004158fd
                                                            0x004158ff
                                                            0x00415901
                                                            0x00415901
                                                            0x00415903
                                                            0x0041665f
                                                            0x0041665f
                                                            0x00415893
                                                            0x00415895
                                                            0x004158a6
                                                            0x004158ae
                                                            0x004158b0
                                                            0x004158c1
                                                            0x004158c9
                                                            0x004158cb
                                                            0x004158e0
                                                            0x004158e8
                                                            0x004158ea
                                                            0x004158f7
                                                            0x004158f7
                                                            0x00000000
                                                            0x004158ea
                                                            0x004158d4
                                                            0x004158da
                                                            0x00000000
                                                            0x00000000
                                                            0x004158dc
                                                            0x004158dc
                                                            0x00000000
                                                            0x004158dc
                                                            0x004158b9
                                                            0x004158bf
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004158bf
                                                            0x0041589e
                                                            0x004158a4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004158a4
                                                            0x00415804
                                                            0x00415806
                                                            0x0041581d
                                                            0x00415825
                                                            0x00415827
                                                            0x0041583e
                                                            0x00415846
                                                            0x00415848
                                                            0x0041585f
                                                            0x00415867
                                                            0x00415869
                                                            0x00415876
                                                            0x00415876
                                                            0x00000000
                                                            0x00415869
                                                            0x00415855
                                                            0x00415859
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415859
                                                            0x00415834
                                                            0x00415838
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415838
                                                            0x00415813
                                                            0x00415817
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415817
                                                            0x00415775
                                                            0x00415777
                                                            0x0041578e
                                                            0x00415796
                                                            0x00415798
                                                            0x004157af
                                                            0x004157b7
                                                            0x004157b9
                                                            0x004157d0
                                                            0x004157d8
                                                            0x004157da
                                                            0x004157e7
                                                            0x004157e7
                                                            0x00000000
                                                            0x004157da
                                                            0x004157c6
                                                            0x004157ca
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004157ca
                                                            0x004157a5
                                                            0x004157a9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004157a9
                                                            0x00415784
                                                            0x00415788
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415788
                                                            0x004156e5
                                                            0x004156e7
                                                            0x004156fe
                                                            0x00415706
                                                            0x00415708
                                                            0x0041571f
                                                            0x00415727
                                                            0x00415729
                                                            0x00415740
                                                            0x00415748
                                                            0x0041574a
                                                            0x00415757
                                                            0x00415757
                                                            0x00000000
                                                            0x0041574a
                                                            0x00415736
                                                            0x0041573a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041573a
                                                            0x00415715
                                                            0x00415719
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415719
                                                            0x004156f4
                                                            0x004156f8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004156f8
                                                            0x00415656
                                                            0x00415658
                                                            0x0041566f
                                                            0x00415677
                                                            0x00415679
                                                            0x00415690
                                                            0x00415698
                                                            0x0041569a
                                                            0x004156b1
                                                            0x004156b9
                                                            0x004156bb
                                                            0x004156c8
                                                            0x004156c8
                                                            0x00000000
                                                            0x004156bb
                                                            0x004156a7
                                                            0x004156ab
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004156ab
                                                            0x00415686
                                                            0x0041568a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041568a
                                                            0x00415665
                                                            0x00415669
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415669
                                                            0x004155c7
                                                            0x004155c9
                                                            0x004155e0
                                                            0x004155e8
                                                            0x004155ea
                                                            0x00415601
                                                            0x00415609
                                                            0x0041560b
                                                            0x00415622
                                                            0x0041562a
                                                            0x0041562c
                                                            0x00415639
                                                            0x00415639
                                                            0x00000000
                                                            0x0041562c
                                                            0x00415618
                                                            0x0041561c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041561c
                                                            0x004155f7
                                                            0x004155fb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004155fb
                                                            0x004155d6
                                                            0x004155da
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041553d
                                                            0x0041553d
                                                            0x00415540
                                                            0x00415544
                                                            0x00415546
                                                            0x00415559
                                                            0x00415559
                                                            0x0041555d
                                                            0x00415561
                                                            0x00415563
                                                            0x00415576
                                                            0x00415576
                                                            0x0041557a
                                                            0x0041557e
                                                            0x00415580
                                                            0x00415593
                                                            0x00415593
                                                            0x00415597
                                                            0x0041559b
                                                            0x0041559d
                                                            0x004155a3
                                                            0x004155a6
                                                            0x004155aa
                                                            0x004155aa
                                                            0x00000000
                                                            0x0041559d
                                                            0x00415586
                                                            0x00415589
                                                            0x0041558d
                                                            0x00415591
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415591
                                                            0x00415569
                                                            0x0041556c
                                                            0x00415570
                                                            0x00415574
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415574
                                                            0x0041554c
                                                            0x0041554f
                                                            0x00415553
                                                            0x00415557
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00415557
                                                            0x0041552e
                                                            0x0041552e
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                            • Instruction ID: 2c3bfc351a61054c374a8fd5be6a54f1f18552b71571a465d5411a81f20003fa
                                                            • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                            • Instruction Fuzzy Hash: 7DC16E73D1ADB38A8735812D50582FBEE636FD174031EC3A29CE42F38DD22A9D9196D4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D0E1, Relevance: .3, Instructions: 306COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040D0E1(signed int* __eax, signed int* __ecx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				unsigned int _v28;
				unsigned int _v32;
				unsigned int _v44;
				signed int _t195;
				unsigned int _t198;
				signed int* _t284;
				signed int* _t285;
				signed int _t286;
				unsigned int _t289;
				unsigned int _t304;
				unsigned int _t328;
				unsigned int _t350;
				signed int* _t385;
				signed int _t417;
				unsigned int _t421;
				unsigned int _t435;

				_t286 =  *__ecx;
				_v8 = _t286;
				_t284 = __ecx + (_t286 << 5) + 0x10;
				_t289 = _t284[2] ^ __eax[2];
				_t198 =  *_t284 ^  *__eax;
				_t421 = _t284[1] ^ __eax[1];
				_t328 = _t284[3] ^ __eax[3];
				_v20 = _t289;
				_v16 = _t328;
				_v12 = _t289 >> 0x00000010 & 0x000000ff;
				_t285 = _t284 - 0x20;
				_v44 =  *(0x42f7b0 + (_t328 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + _v12 * 4) ^  *(0x42ffb0 + (_t421 >> 0x18) * 4) ^  *(0x42f3b0 + (_t198 & 0x000000ff) * 4) ^ _t285[4];
				_v24 = _t421;
				_t350 =  *(0x42f7b0 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_t198 >> 0x18) * 4) ^  *(0x42f3b0 + (_v16 & 0x000000ff) * 4) ^ _t285[7];
				_t304 =  *(0x42f7b0 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_t198 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v16 >> 0x18) * 4) ^  *(0x42f3b0 + (_v20 & 0x000000ff) * 4) ^ _t285[6];
				_v32 = _t350;
				_t435 =  *(0x42fbb0 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42f7b0 + (_t198 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v20 >> 0x18) * 4) ^  *(0x42f3b0 + (_v24 & 0x000000ff) * 4) ^ _t285[5];
				_t60 =  &_v8;
				 *_t60 = _v8 - 1;
				if( *_t60 != 0) {
					while(1) {
						_v28 =  *(0x42f7b0 + (_t350 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_t304 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_t435 >> 0x18) * 4) ^  *(0x42f3b0 + (_v44 & 0x000000ff) * 4) ^  *_t285;
						_v20 =  *(0x42f7b0 + (_t435 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_v44 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v32 >> 0x18) * 4) ^  *(0x42f3b0 + (_t304 & 0x000000ff) * 4) ^ _t285[2];
						_v16 =  *(0x42fbb0 + (_t435 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42f7b0 + (_t304 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v44 >> 0x18) * 4) ^  *(0x42f3b0 + (_v32 & 0x000000ff) * 4) ^ _t285[3];
						_t285 = _t285 - 0x20;
						_t417 =  *(0x42fbb0 + (_v32 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42f7b0 + (_v44 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_t304 >> 0x18) * 4) ^  *(0x42f3b0 + (_t435 & 0x000000ff) * 4) ^ _t285[9];
						_v44 =  *(0x42f7b0 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_t417 >> 0x18) * 4) ^  *(0x42f3b0 + (_v28 & 0x000000ff) * 4) ^ _t285[4];
						_t304 =  *(0x42f7b0 + (_t417 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v16 >> 0x18) * 4) ^  *(0x42f3b0 + (_v20 & 0x000000ff) * 4) ^ _t285[6];
						_v32 =  *(0x42f7b0 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_t417 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v28 >> 0x18) * 4) ^  *(0x42f3b0 + (_v16 & 0x000000ff) * 4) ^ _t285[7];
						_t158 =  &_v8;
						 *_t158 = _v8 - 1;
						_t435 =  *(0x42fbb0 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42f7b0 + (_v28 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v20 >> 0x18) * 4) ^  *(0x42f3b0 + (_t417 & 0x000000ff) * 4) ^ _t285[5];
						if( *_t158 == 0) {
							goto L4;
						}
						_t350 = _v32;
					}
				}
				L4:
				 *_a4 = ((( *((_t304 >> 0x00000010 & 0x000000ff) + 0x4303b0) & 0x000000ff | ( *((_t435 >> 0x18) + 0x4303b0) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_v32 >> 0x00000008 & 0x000000ff) + 0x4303b0) & 0x000000ff) << 0x00000008 |  *((_v44 & 0x000000ff) + 0x4303b0) & 0x000000ff) ^  *_t285;
				_a4[1] = ((( *((_v32 >> 0x00000010 & 0x000000ff) + 0x4303b0) & 0x000000ff | ( *((_t304 >> 0x18) + 0x4303b0) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_v44 >> 0x00000008 & 0x000000ff) + 0x4303b0) & 0x000000ff) << 0x00000008 |  *((_t435 & 0x000000ff) + 0x4303b0) & 0x000000ff) ^ _t285[1];
				_t385 = _a4;
				_t385[2] = ((( *((_v44 >> 0x00000010 & 0x000000ff) + 0x4303b0) & 0x000000ff | ( *((_v32 >> 0x18) + 0x4303b0) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t435 >> 0x00000008 & 0x000000ff) + 0x4303b0) & 0x000000ff) << 0x00000008 |  *((_t304 & 0x000000ff) + 0x4303b0) & 0x000000ff) ^ _t285[2];
				_t195 =  *((_v32 & 0x000000ff) + 0x4303b0) & 0x000000ff;
				_t385[3] = ((( *((_t435 >> 0x00000010 & 0x000000ff) + 0x4303b0) & 0x000000ff | ( *((_v44 >> 0x18) + 0x4303b0) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t304 >> 0x00000008 & 0x000000ff) + 0x4303b0) & 0x000000ff) << 0x00000008 | _t195) ^ _t285[3];
				return _t195;
			}
























                                                            0x0040d0e7
                                                            0x0040d0e9
                                                            0x0040d0ef
                                                            0x0040d0f6
                                                            0x0040d0fc
                                                            0x0040d102
                                                            0x0040d109
                                                            0x0040d10c
                                                            0x0040d10f
                                                            0x0040d121
                                                            0x0040d14c
                                                            0x0040d157
                                                            0x0040d18d
                                                            0x0040d1c3
                                                            0x0040d1c6
                                                            0x0040d1fa
                                                            0x0040d1fd
                                                            0x0040d200
                                                            0x0040d200
                                                            0x0040d203
                                                            0x0040d20e
                                                            0x0040d248
                                                            0x0040d282
                                                            0x0040d2be
                                                            0x0040d2de
                                                            0x0040d2f5
                                                            0x0040d32e
                                                            0x0040d3a0
                                                            0x0040d3a3
                                                            0x0040d3da
                                                            0x0040d3da
                                                            0x0040d3dd
                                                            0x0040d3df
                                                            0x00000000
                                                            0x00000000
                                                            0x0040d20b
                                                            0x0040d20b
                                                            0x0040d20e
                                                            0x0040d3e5
                                                            0x0040d42e
                                                            0x0040d47a
                                                            0x0040d4c4
                                                            0x0040d4cc
                                                            0x0040d4fe
                                                            0x0040d50d
                                                            0x0040d514

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0cfc6000c62d7bd4ad52ff40bd66c3b0a36c2a62a8a423c049686098c6414be0
                                                            • Instruction ID: 76f220414fc603ce51afa1bac02335ee47805ea7e198b4a5cd840bd89b385469
                                                            • Opcode Fuzzy Hash: 0cfc6000c62d7bd4ad52ff40bd66c3b0a36c2a62a8a423c049686098c6414be0
                                                            • Instruction Fuzzy Hash: 8FD13D77E106658BDB50CFA9DCD0149B7B2BB89320B9F82B4CA5467216C234B913CBE4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CCB9, Relevance: .3, Instructions: 302COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040CCB9(signed int* __eax, intOrPtr* __ecx, signed int* _a4) {
				char _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				unsigned int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _t188;
				unsigned int _t191;
				signed int* _t275;
				signed int* _t276;
				signed int* _t277;
				unsigned int _t282;
				unsigned int _t297;
				unsigned int _t341;
				signed int* _t377;
				signed int _t409;
				unsigned int _t413;
				unsigned int _t427;

				_v8 =  *__ecx;
				_t275 = __ecx + 0x10;
				_v20 =  *(__ecx + 0x14) ^ __eax[1];
				_t282 = _t275[3] ^ __eax[3];
				_t191 = _t275[2] ^ __eax[2];
				_t413 =  *_t275 ^  *__eax;
				_v12 = _t282;
				_t276 =  &(_t275[4]);
				_v32 =  *(0x42e7b0 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ebb0 + (_t413 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v20 >> 0x18) * 4) ^  *(0x42e3b0 + (_t191 & 0x000000ff) * 4) ^ _t275[6];
				_v24 = _t413;
				_t297 =  *(0x42ebb0 + (_t191 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v12 >> 0x18) * 4) ^  *(0x42e3b0 + (_t413 & 0x000000ff) * 4) ^  *_t276;
				_t341 =  *(0x42ebb0 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_t413 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_t191 >> 0x18) * 4) ^  *(0x42e3b0 + (_v12 & 0x000000ff) * 4) ^ _t276[3];
				_v28 = _t341;
				_t427 =  *(0x42ebb0 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_t191 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v24 >> 0x18) * 4) ^  *(0x42e3b0 + (_v20 & 0x000000ff) * 4) ^ _t276[1];
				while(1) {
					_t56 =  &_v8;
					 *_t56 = _v8 - 1;
					if( *_t56 == 0) {
						break;
					}
					_v16 =  *(0x42e7b0 + (_t341 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ebb0 + (_t297 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42efb0 + (_t427 >> 0x18) * 4) ^  *(0x42e3b0 + (_v32 & 0x000000ff) * 4) ^ _t276[6];
					_v24 =  *(0x42e7b0 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ebb0 + (_v32 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v28 >> 0x18) * 4) ^  *(0x42e3b0 + (_t297 & 0x000000ff) * 4) ^ _t276[4];
					_v12 =  *(0x42ebb0 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_t297 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v32 >> 0x18) * 4) ^  *(0x42e3b0 + (_v28 & 0x000000ff) * 4) ^ _t276[7];
					_t276 =  &(_t276[8]);
					_t409 =  *(0x42ebb0 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_v32 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_t297 >> 0x18) * 4) ^  *(0x42e3b0 + (_t427 & 0x000000ff) * 4) ^  *(_t276 - 0xc);
					_v32 =  *(0x42e7b0 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ebb0 + (_v24 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42efb0 + (_t409 >> 0x18) * 4) ^  *(0x42e3b0 + (_v16 & 0x000000ff) * 4) ^ _t276[2];
					_t297 =  *(0x42ebb0 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_t409 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v12 >> 0x18) * 4) ^  *(0x42e3b0 + (_v24 & 0x000000ff) * 4) ^  *_t276;
					_v28 =  *(0x42ebb0 + (_t409 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_v24 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v16 >> 0x18) * 4) ^  *(0x42e3b0 + (_v12 & 0x000000ff) * 4) ^ _t276[3];
					_t341 = _v28;
					_t427 =  *(0x42ebb0 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v24 >> 0x18) * 4) ^  *(0x42e3b0 + (_t409 & 0x000000ff) * 4) ^ _t276[1];
				}
				_t277 =  &(_t276[4]);
				 *_a4 = ((( *((_v32 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_t341 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t427 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t297 & 0x000000ff) + 0x42cdd8) & 0x000000ff) ^  *_t277;
				_a4[1] = ((( *((_v28 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_t297 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_v32 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t427 & 0x000000ff) + 0x42cdd8) & 0x000000ff) ^ _t277[1];
				_t377 = _a4;
				_t377[2] = ((( *((_t297 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_t427 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_v28 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_v32 & 0x000000ff) + 0x42cdd8) & 0x000000ff) ^ _t277[2];
				_t188 =  *((_v28 & 0x000000ff) + 0x42cdd8) & 0x000000ff;
				_t377[3] = ((( *((_t427 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_v32 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t297 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 | _t188) ^ _t277[3];
				return _t188;
			}






















                                                            0x0040ccc1
                                                            0x0040ccca
                                                            0x0040cccd
                                                            0x0040ccd3
                                                            0x0040ccda
                                                            0x0040cce0
                                                            0x0040cce3
                                                            0x0040cd23
                                                            0x0040cd29
                                                            0x0040cd5e
                                                            0x0040cd88
                                                            0x0040cd96
                                                            0x0040cdca
                                                            0x0040cdcd
                                                            0x0040cdd0
                                                            0x0040cdd0
                                                            0x0040cdd0
                                                            0x0040cdd3
                                                            0x00000000
                                                            0x00000000
                                                            0x0040ce14
                                                            0x0040ce4e
                                                            0x0040ce8a
                                                            0x0040ceaa
                                                            0x0040cec1
                                                            0x0040cef9
                                                            0x0040cf6c
                                                            0x0040cf6e
                                                            0x0040cfa2
                                                            0x0040cfa8
                                                            0x0040cfa8
                                                            0x0040cff3
                                                            0x0040cff8
                                                            0x0040d044
                                                            0x0040d08e
                                                            0x0040d096
                                                            0x0040d0c8
                                                            0x0040d0d7
                                                            0x0040d0de

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8c9c7050ca94e8298667664901ff717b58675a00e7e2e33fca0e0cfc9411951c
                                                            • Instruction ID: e55cd98cb9f967dd300f2e58628a4cb6cdbaafe22551165e888f1a22e7b5183d
                                                            • Opcode Fuzzy Hash: 8c9c7050ca94e8298667664901ff717b58675a00e7e2e33fca0e0cfc9411951c
                                                            • Instruction Fuzzy Hash: 44D11E37E106658BDB50CFAADCC0159B7A3BFC9320B9F86A8CA5467256C2347913CBD4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D67F, Relevance: .1, Instructions: 149COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E0040D67F() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __esi;
				char _t34;
				signed int _t41;
				signed int _t54;
				signed int _t55;
				void* _t62;
				signed int _t70;
				signed int _t96;
				signed int _t99;
				signed int _t107;
				signed int _t113;
				signed int _t124;
				signed int _t125;
				signed int _t127;
				signed int _t134;
				signed int _t137;
				signed int _t138;
				signed int _t143;
				signed int _t145;

				_t34 = 0;
				do {
					_t1 = _t34 + 0x42cdd8; // 0x7b777c63
					 *((char*)(( *_t1 & 0x000000ff) + 0x4303b0)) = _t34;
					_t34 = _t34 + 1;
				} while (_t34 < 0x100);
				_v8 = _v8 & 0x00000000;
				do {
					_t6 = _v8 + 0x42cdd8; // 0x7b777c63
					_t137 =  *_t6 & 0x000000ff;
					asm("sbb eax, eax");
					_t41 = ( ~(_t137 & 0x80) & 0x0000001b ^ _t137 + _t137) & 0x000000ff;
					_t99 = _t41 ^ _t137;
					_v12 = _t99;
					_t96 = _v8 << 2;
					 *(_t96 + 0x42e3b0) = ((_t99 << 0x00000008 | _t137) << 0x00000008 | _t137) << 0x00000008 | _t41;
					_t107 = _t137 << 8;
					 *(_t96 + 0x42e7b0) = ((_t107 | _t137) << 0x00000008 | _t41) << 0x00000008 | _v12;
					_t70 = _v8;
					_t15 = _t70 + 0x42cdd8; // 0x7b777c63
					_t138 =  *_t15 & 0x000000ff;
					 *(_t96 + 0x42ebb0) = ((_t107 | _t41) << 0x00000008 | _v12) << 0x00000008 | _t138;
					_t17 = _t70 + 0x4303b0; // 0xd56a0952
					_t113 =  *_t17 & 0x000000ff;
					 *(_t96 + 0x42efb0) = ((_t41 << 0x00000008 | _v12) << 0x00000008 | _t138) << 0x00000008 | _t138;
					_v12 = _t113;
					asm("sbb eax, eax");
					_t54 = ( ~(_t113 & 0x80) & 0x0000001b ^ _t113 + _t113) & 0x000000ff;
					asm("sbb esi, esi");
					_t143 = ( ~(_t54 & 0x80) & 0x0000001b ^ _t54 + _t54) & 0x000000ff;
					asm("sbb edx, edx");
					_t124 = ( ~(_t143 & 0x80) & 0x0000001b ^ _t143 + _t143) & 0x000000ff;
					_v16 = _t124 ^ _v12;
					_t134 = _t124 ^ _t54 ^ _v12;
					_t125 = _t124 ^ _t143;
					_t145 = _t125 ^ _v12;
					_t55 = _t125 ^ _t54;
					_t127 = _v16;
					 *(_t96 + 0x42f3b0) = ((_t134 << 0x00000008 | _t145) << 0x00000008 | _t127) << 0x00000008 | _t55;
					 *(_t96 + 0x42f7b0) = ((_t145 << 0x00000008 | _t127) << 0x00000008 | _t55) << 0x00000008 | _t134;
					_v8 = _v8 + 1;
					_t150 = _v8 - 0x100;
					 *(_t96 + 0x42fbb0) = ((_t127 << 0x00000008 | _t55) << 0x00000008 | _t134) << 0x00000008 | _t145;
					 *(_t96 + 0x42ffb0) = ((_t55 << 0x00000008 | _t134) << 0x00000008 | _t145) << 0x00000008 | _t127;
				} while (_v8 < 0x100);
				 *0x431158 = E0040D534;
				 *0x431160 = E0040D58C;
				 *0x43115c = E0040D60E;
				_t62 = E0040DBBE(_t145, _t150);
				if(_t62 != 0) {
					 *0x431158 = 0x4106ae;
					 *0x431160 = 0x4106b3;
					 *0x43115c = 0x4106b8;
					return _t62;
				}
				return _t62;
			}

























                                                            0x0040d685
                                                            0x0040d687
                                                            0x0040d687
                                                            0x0040d68e
                                                            0x0040d694
                                                            0x0040d695
                                                            0x0040d69c
                                                            0x0040d6a3
                                                            0x0040d6a6
                                                            0x0040d6a6
                                                            0x0040d6b6
                                                            0x0040d6c5
                                                            0x0040d6c9
                                                            0x0040d6cb
                                                            0x0040d6dd
                                                            0x0040d6e0
                                                            0x0040d6e8
                                                            0x0040d70e
                                                            0x0040d714
                                                            0x0040d717
                                                            0x0040d717
                                                            0x0040d722
                                                            0x0040d728
                                                            0x0040d728
                                                            0x0040d734
                                                            0x0040d73e
                                                            0x0040d746
                                                            0x0040d74f
                                                            0x0040d75b
                                                            0x0040d765
                                                            0x0040d771
                                                            0x0040d77b
                                                            0x0040d782
                                                            0x0040d789
                                                            0x0040d78c
                                                            0x0040d790
                                                            0x0040d79f
                                                            0x0040d7a1
                                                            0x0040d7ab
                                                            0x0040d7c2
                                                            0x0040d7e8
                                                            0x0040d7eb
                                                            0x0040d7f2
                                                            0x0040d7f8
                                                            0x0040d7f8
                                                            0x0040d804
                                                            0x0040d80e
                                                            0x0040d818
                                                            0x0040d822
                                                            0x0040d82c
                                                            0x0040d82e
                                                            0x0040d838
                                                            0x0040d842
                                                            0x00000000
                                                            0x0040d842
                                                            0x0040d84d

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aee69a52f2e05a42dc781db024eb72f8ab53ffe79c266a6572178bcad1af81da
                                                            • Instruction ID: 6a22c5127146d23af461cc2f65cf440ff924ceb3262248ac72f561739daf3693
                                                            • Opcode Fuzzy Hash: aee69a52f2e05a42dc781db024eb72f8ab53ffe79c266a6572178bcad1af81da
                                                            • Instruction Fuzzy Hash: 2251D432F206704AF700CAAA8CC41897FE3EBC8345759C67AC954DB285C7BC4557CBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CB18, Relevance: .1, Instructions: 101COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040CB18(intOrPtr* __ecx, signed int* __edx, signed int _a4) {
				signed int* _v8;
				signed int _v12;
				intOrPtr _v16;
				unsigned int _t37;
				signed int _t38;
				signed int _t40;
				void* _t72;
				signed int* _t73;
				signed int _t77;
				intOrPtr _t90;
				signed int _t91;
				signed int _t100;

				_t73 = __edx;
				_t37 = _a4;
				_t90 = _t37 + 0x1c;
				_t38 = _t37 >> 2;
				 *__ecx = (_t38 >> 1) + 3;
				_t72 = __ecx + 0x10;
				_t100 = 0;
				_v16 = _t90;
				_a4 = _t38;
				if(_t38 <= 0) {
					L2:
					if(_t100 >= _t90) {
						L10:
						return _t38;
					}
					_v8 = _t72 + (_t100 - _t38) * 4;
					do {
						_t40 = _t100;
						_t77 = _t40 % _a4;
						_t91 =  *(_t72 + _t100 * 4 - 4);
						_v12 = _t40 / _a4;
						if(_t77 != 0) {
							if(_a4 > 6 && _t77 == 4) {
								_t91 = (( *((_t91 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_t91 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t91 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t91 & 0x000000ff) + 0x42cdd8) & 0x000000ff;
							}
						} else {
							_t91 = ((( *((_t91 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t91 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t91 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t91 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff ^  *(_v12 + 0x42ced8) & 0x000000ff;
						}
						_v8 =  &(_v8[1]);
						_t38 =  *_v8 ^ _t91;
						 *(_t72 + _t100 * 4) = _t38;
						_t100 = _t100 + 1;
					} while (_t100 < _v16);
					goto L10;
				} else {
					goto L1;
				}
				do {
					L1:
					 *(_t72 + _t100 * 4) =  *_t73;
					_t100 = _t100 + 1;
					_t73 =  &(_t73[1]);
				} while (_t100 < _t38);
				goto L2;
			}















                                                            0x0040cb18
                                                            0x0040cb1e
                                                            0x0040cb24
                                                            0x0040cb27
                                                            0x0040cb31
                                                            0x0040cb33
                                                            0x0040cb36
                                                            0x0040cb38
                                                            0x0040cb3b
                                                            0x0040cb40
                                                            0x0040cb4f
                                                            0x0040cb51
                                                            0x0040cc36
                                                            0x0040cc36
                                                            0x0040cc36
                                                            0x0040cb5e
                                                            0x0040cb61
                                                            0x0040cb63
                                                            0x0040cb65
                                                            0x0040cb68
                                                            0x0040cb6c
                                                            0x0040cb71
                                                            0x0040cbcc
                                                            0x0040cc18
                                                            0x0040cc18
                                                            0x0040cb73
                                                            0x0040cbc4
                                                            0x0040cbc4
                                                            0x0040cc1f
                                                            0x0040cc23
                                                            0x0040cc25
                                                            0x0040cc28
                                                            0x0040cc29
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040cb42
                                                            0x0040cb42
                                                            0x0040cb44
                                                            0x0040cb47
                                                            0x0040cb48
                                                            0x0040cb4b
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b0f386d1f83ac84247768cd47b6c21ba11a82ca0a77180d09c64650b95f758e
                                                            • Instruction ID: 4a51ee0899f6aa877cb982f23d933457a9856b6070a88fcefa5a6ad76c6c8c19
                                                            • Opcode Fuzzy Hash: 0b0f386d1f83ac84247768cd47b6c21ba11a82ca0a77180d09c64650b95f758e
                                                            • Instruction Fuzzy Hash: 0C313632F506218BE7118F6E8CC005DBFE3AFC521075882B6D9A4DB386D938EA52C7D4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CA77, Relevance: .1, Instructions: 60COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040CA77(signed int __ecx, signed char __edx, unsigned int _a4, unsigned int _a8) {
				signed int _t32;
				unsigned int _t34;
				signed char _t45;
				unsigned int _t65;

				_t65 = _a8;
				_t32 = __ecx;
				_t45 = __edx;
				while(_a4 > 0) {
					if((_t45 & 0x00000003) != 0) {
						_t32 = _t32 >> 0x00000008 ^  *(_t65 + (( *_t45 & 0x000000ff ^ _t32) & 0x000000ff) * 4);
						_a4 = _a4 - 1;
						_t45 = _t45 + 1;
						continue;
					}
					break;
				}
				if(_a4 >= 4) {
					_a8 = _a4 >> 2;
					do {
						_t34 = _t32 ^  *_t45;
						_a4 = _a4 - 4;
						_t45 = _t45 + 4;
						_t25 =  &_a8;
						 *_t25 = _a8 - 1;
						_t32 =  *(_t65 + 0x800 + (_t34 >> 0x00000008 & 0x000000ff) * 4) ^  *(_t65 + 0x400 + (_t34 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t65 + 0xc00 + (_t34 & 0x000000ff) * 4) ^  *(_t65 + (_t34 >> 0x18) * 4);
					} while ( *_t25 != 0);
					L9:
					while(_a4 > 0) {
						_t32 = _t32 >> 0x00000008 ^  *(_t65 + (( *_t45 & 0x000000ff ^ _t32) & 0x000000ff) * 4);
						_a4 = _a4 - 1;
						_t45 = _t45 + 1;
					}
					return _t32;
				}
				goto L9;
			}







                                                            0x0040ca7b
                                                            0x0040ca7e
                                                            0x0040ca80
                                                            0x0040caa0
                                                            0x0040ca8d
                                                            0x0040ca99
                                                            0x0040ca9c
                                                            0x0040ca9f
                                                            0x00000000
                                                            0x0040ca9f
                                                            0x00000000
                                                            0x0040ca8d
                                                            0x0040caaa
                                                            0x0040cab2
                                                            0x0040cab6
                                                            0x0040cab6
                                                            0x0040cab8
                                                            0x0040cae9
                                                            0x0040caec
                                                            0x0040caec
                                                            0x0040caef
                                                            0x0040caef
                                                            0x00000000
                                                            0x0040cb07
                                                            0x0040cb00
                                                            0x0040cb03
                                                            0x0040cb06
                                                            0x0040cb06
                                                            0x0040cb10
                                                            0x0040cb10
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ba07dcea3c86158cd3bd6dc6ecf5688b8c76a034248f7408b1467d4b0ce7cb9
                                                            • Instruction ID: 4b2e18279380e8e2ea2cade48a7a33503f3b558ca5dd1125519b5dc0726fd5de
                                                            • Opcode Fuzzy Hash: 5ba07dcea3c86158cd3bd6dc6ecf5688b8c76a034248f7408b1467d4b0ce7cb9
                                                            • Instruction Fuzzy Hash: 87110433210619DBD715CF29D880397B3E2EBC4359F2AC13AED455B241C638F582CB84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040DA29, Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E0040DA29(intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t18;

				asm("cpuid");
				_v8 = _a4;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				 *_a8 = _v8;
				 *_a12 = _v12;
				 *_a16 = _v16;
				_t18 = _v20;
				 *_a20 = _t18;
				return _t18;
			}








                                                            0x0040da39
                                                            0x0040da3b
                                                            0x0040da3e
                                                            0x0040da41
                                                            0x0040da44
                                                            0x0040da4d
                                                            0x0040da55
                                                            0x0040da5d
                                                            0x0040da5f
                                                            0x0040da65
                                                            0x0040da69

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 71f640c13c4a1a1083acb58eab2e31c20d3daad36dbe5f2c12d2aea573353dbb
                                                            • Instruction ID: 77ecadd4a482efa7565a9f0d42a66e586b69bcb13aa4452082738fb18a71dae5
                                                            • Opcode Fuzzy Hash: 71f640c13c4a1a1083acb58eab2e31c20d3daad36dbe5f2c12d2aea573353dbb
                                                            • Instruction Fuzzy Hash: 46F074B5A05209EFCB09CFA9C49199EFBF5FF49304B1084A9E819E7350E731AA11CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004187A8, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E004187A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x42a518);
				E00417B6C(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0041A9CE(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x424b30;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x42d840;
				E00419EA7(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E0041887D();
				E00419EA7(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x42d830; // 0x42d758
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0041C7F2( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E00417BB1(E00418886());
			}








                                                            0x004187a8
                                                            0x004187a8
                                                            0x004187aa
                                                            0x004187af
                                                            0x004187b4
                                                            0x004187ba
                                                            0x004187c2
                                                            0x004187c5
                                                            0x004187ca
                                                            0x004187cb
                                                            0x004187ce
                                                            0x004187d1
                                                            0x004187db
                                                            0x004187e0
                                                            0x004187e8
                                                            0x004187f0
                                                            0x00418800
                                                            0x00418800
                                                            0x00418806
                                                            0x00418809
                                                            0x00418810
                                                            0x00418817
                                                            0x00418820
                                                            0x00418826
                                                            0x0041882d
                                                            0x00418833
                                                            0x0041883a
                                                            0x00418841
                                                            0x00418847
                                                            0x0041884a
                                                            0x0041884d
                                                            0x00418852
                                                            0x00418854
                                                            0x00418859
                                                            0x00418859
                                                            0x0041885f
                                                            0x00418865
                                                            0x00418876

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042A518,0000000C,004188E3,00000000,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C), ref: 004187BA
                                                            • __crt_waiting_on_module_handle.LIBCMT ref: 004187C5
                                                              • Part of subcall function 0041A9CE: Sleep.KERNEL32(000003E8,?,?,004186CE,KERNEL32.DLL,?,0041873A,?,00417A43), ref: 0041A9DA
                                                              • Part of subcall function 0041A9CE: GetModuleHandleW.KERNEL32(?,?,?,004186CE,KERNEL32.DLL,?,0041873A,?,00417A43), ref: 0041A9E3
                                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004187EE
                                                            • GetProcAddress.KERNEL32(?,DecodePointer), ref: 004187FE
                                                            • __lock.LIBCMT ref: 00418820
                                                            • InterlockedIncrement.KERNEL32(0042D840), ref: 0041882D
                                                            • __lock.LIBCMT ref: 00418841
                                                            • ___addlocaleref.LIBCMT ref: 0041885F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                            • String ID: 0KB$DecodePointer$EncodePointer$KERNEL32.DLL
                                                            • API String ID: 1028249917-1715683212
                                                            • Opcode ID: 4eb2d2d8578cbe2392ac86c1bfc58d6bd58baf4d5e2e4a7a381ae62765332dd5
                                                            • Instruction ID: 4d8d1e5cb8e65c047eab52f700794214e88104f2c80f6a1ae4ac75198ce655ca
                                                            • Opcode Fuzzy Hash: 4eb2d2d8578cbe2392ac86c1bfc58d6bd58baf4d5e2e4a7a381ae62765332dd5
                                                            • Instruction Fuzzy Hash: 65117571A44701AED720EF76E845B9ABBF0AF44318F60452FE46993291CB7CA981CF5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A76E, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E0040A76E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t40;

				_push(8);
				E00416B21(E00421764, __ebx, __edi, __esi);
				_t39 = __ecx;
				 *((intOrPtr*)(_t40 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0x423648;
				 *((intOrPtr*)(__ecx + 8)) = 0x423320;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x423848;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x423434;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x423860;
				 *((intOrPtr*)(__ecx + 0x18)) = 0x423874;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0x423634;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x42391c;
				 *((intOrPtr*)(__ecx + 4)) = 0x423904;
				 *((intOrPtr*)(__ecx + 8)) = 0x4238f0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x4238d8;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x4238c4;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x4238b0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0x42389c;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0x423888;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(_t40 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((intOrPtr*)(__ecx + 0x54)) = 0;
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((char*)(_t40 - 4)) = 4;
				_t29 = E0040D873(0x20000);
				 *((intOrPtr*)(__ecx + 0x24)) = _t29;
				if(_t29 == 0) {
					 *((intOrPtr*)(_t40 - 0x10)) = 1;
					E004166E0(_t40 - 0x10, 0x4286f8);
				}
				return E00416BF9(_t39);
			}






                                                            0x0040a76e
                                                            0x0040a775
                                                            0x0040a77a
                                                            0x0040a77c
                                                            0x0040a77f
                                                            0x0040a786
                                                            0x0040a78d
                                                            0x0040a794
                                                            0x0040a79b
                                                            0x0040a7a2
                                                            0x0040a7a9
                                                            0x0040a7b2
                                                            0x0040a7b5
                                                            0x0040a7bb
                                                            0x0040a7c2
                                                            0x0040a7c9
                                                            0x0040a7d0
                                                            0x0040a7d7
                                                            0x0040a7de
                                                            0x0040a7e5
                                                            0x0040a7ec
                                                            0x0040a7ef
                                                            0x0040a7f2
                                                            0x0040a7f5
                                                            0x0040a7f8
                                                            0x0040a7fb
                                                            0x0040a803
                                                            0x0040a807
                                                            0x0040a80c
                                                            0x0040a811
                                                            0x0040a81c
                                                            0x0040a823
                                                            0x0040a823
                                                            0x0040a82f

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040A775
                                                            • __CxxThrowException@8.LIBCMT ref: 0040A823
                                                              • Part of subcall function 004166E0: RaiseException.KERNEL32(?,?,?,00000001), ref: 00416722
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ExceptionException@8H_prolog3RaiseThrow
                                                            • String ID: 3B$44B$46B$H6B$H8B$`8B$t8B
                                                            • API String ID: 1961742612-2761110864
                                                            • Opcode ID: b1548735c7c1e4b7c7ad086c812b5e9b681731f2be5f1e43510b18a1fb9d846f
                                                            • Instruction ID: c0ed3f570d0a6da7dbc72ff777c841338a477779ef8172924cce9f6de6350eef
                                                            • Opcode Fuzzy Hash: b1548735c7c1e4b7c7ad086c812b5e9b681731f2be5f1e43510b18a1fb9d846f
                                                            • Instruction Fuzzy Hash: 4F11B4B0A01B649EC720EF56A40414AFAF4BF50709B90C90FE0969BA11C7FCA649CF88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041397A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66memorystringwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0041397A(void* __ecx) {
				WCHAR* _t12;
				signed short _t15;
				signed int _t18;
				short* _t19;
				wchar_t* _t21;
				short* _t25;
				void* _t29;
				intOrPtr _t30;
				WCHAR* _t31;

				_t29 = __ecx;
				_t31 = __ecx + 0xc;
				if( *_t31 == 0) {
					FormatMessageW(0x1300, 0,  *(__ecx + 4), 0x400, _t31, 0, 0);
					_t12 =  *_t31;
					if(_t12 == 0) {
						_t21 = LocalAlloc(0, 0x40);
						 *_t31 = _t21;
						if(_t21 != 0) {
							_t30 =  *((intOrPtr*)(_t29 + 4));
							_t15 = E00413828(_t30) & 0x0000ffff;
							if(_t15 == 0) {
								_push(_t30);
								_push(L"Unknown error 0x%0lX");
							} else {
								_push(_t15 & 0x0000ffff);
								_push(L"IDispatch error #%d");
							}
							swprintf(_t21, 0x20);
						}
					} else {
						_t18 = lstrlenW(_t12);
						if(_t18 > 1) {
							_t25 =  *_t31 + _t18 * 2 - 2;
							if( *_t25 == 0xa) {
								 *_t25 = 0;
								_t19 =  *_t31 + _t18 * 2 - 4;
								if( *_t19 == 0xd) {
									 *_t19 = 0;
								}
							}
						}
					}
				}
				return  *_t31;
			}












                                                            0x0041397d
                                                            0x0041397f
                                                            0x00413986
                                                            0x0041399d
                                                            0x004139a3
                                                            0x004139a7
                                                            0x004139e3
                                                            0x004139e5
                                                            0x004139e9
                                                            0x004139eb
                                                            0x004139f4
                                                            0x004139fa
                                                            0x00413a07
                                                            0x00413a08
                                                            0x004139fc
                                                            0x004139ff
                                                            0x00413a00
                                                            0x00413a00
                                                            0x00413a10
                                                            0x00413a15
                                                            0x004139a9
                                                            0x004139aa
                                                            0x004139b3
                                                            0x004139b7
                                                            0x004139bf
                                                            0x004139c3
                                                            0x004139c8
                                                            0x004139d0
                                                            0x004139d4
                                                            0x004139d4
                                                            0x004139d0
                                                            0x004139bf
                                                            0x004139b3
                                                            0x004139a7
                                                            0x00413a1e

                                                            APIs
                                                            • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 0041399D
                                                            • lstrlenW.KERNEL32(00000000), ref: 004139AA
                                                            • LocalAlloc.KERNEL32(00000000,00000040), ref: 004139DD
                                                            • swprintf.LIBCMT ref: 00413A10
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AllocFormatLocalMessagelstrlenswprintf
                                                            • String ID: IDispatch error #%d$Unknown error 0x%0lX
                                                            • API String ID: 2315917530-2934499512
                                                            • Opcode ID: 1007b1d4e643293475a76aff5da773719591f5f1a5e5eba02f0138274c1fd98f
                                                            • Instruction ID: f10323cc770acb026687d76090fc9bd105fa0f7589f96fb523d81ed819a8aa42
                                                            • Opcode Fuzzy Hash: 1007b1d4e643293475a76aff5da773719591f5f1a5e5eba02f0138274c1fd98f
                                                            • Instruction Fuzzy Hash: CD110475200214ABC3209F96EC40DB777A9EF4538A760045FF185A7241C379AE92C7B8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004138BE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 95%
                                                            			E004138BE(void* __ebx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t26;
				void* _t31;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t37;
				signed int _t38;
				void* _t40;

				_t31 = __edx;
				_t38 = _t40 - 0x1f8c;
				E00417EA0(0x200c);
				_t15 =  *0x42d330; // 0x41c6c370
				 *(_t38 + 0x1f88) = _t15 ^ _t38;
				E00417D60(0x2000, _t38 - 0x78, 0, 0x2000);
				GetModuleFileNameW(0, _t38 - 0x78, 0x2000);
				 *(_t38 - 0x7c) = 0;
				RegCreateKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted", 0, 0, 0, 0xf003f, 0, _t38 - 0x7c, 0);
				 *(_t38 - 0x80) = 0x20;
				RegSetValueExW( *(_t38 - 0x7c), _t38 - 0x78, 0, 4, _t38 - 0x80, 4);
				_t26 = RegCloseKey( *(_t38 - 0x7c));
				_t34 = _t32;
				_t37 = _t35;
				return E00416B12(_t26, __ebx,  *(_t38 + 0x1f88) ^ _t38, _t31, _t34, _t37);
			}














                                                            0x004138be
                                                            0x004138bf
                                                            0x004138cb
                                                            0x004138d0
                                                            0x004138d7
                                                            0x004138ec
                                                            0x004138fa
                                                            0x00413918
                                                            0x0041391b
                                                            0x00413931
                                                            0x00413938
                                                            0x00413941
                                                            0x0041394d
                                                            0x00413950
                                                            0x0041395d

                                                            APIs
                                                            • _memset.LIBCMT ref: 004138EC
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00002000), ref: 004138FA
                                                            • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0041391B
                                                            • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00413938
                                                            • RegCloseKey.ADVAPI32(?), ref: 00413941
                                                            Strings
                                                            • Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted, xrefs: 0041390E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateFileModuleNameValue_memset
                                                            • String ID: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
                                                            • API String ID: 2280741871-1848367592
                                                            • Opcode ID: 8082dd58de45f4dff7bdfc74514df0a5a51cbff410d03d1bd434bab7d9ddbba1
                                                            • Instruction ID: c7f43e50d42ea44c9d94cf56d05aa8b030a1cd6eea72f480556a558956673729
                                                            • Opcode Fuzzy Hash: 8082dd58de45f4dff7bdfc74514df0a5a51cbff410d03d1bd434bab7d9ddbba1
                                                            • Instruction Fuzzy Hash: A9112E72A00118AAE7309FA1EC48EEEBF7CEF45355F50002AFA15A3145D7345644CF68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411A77, Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E00411A77(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t51;
				void* _t58;
				void* _t65;
				void* _t72;
				void* _t102;
				void* _t103;
				void* _t106;

				_t106 = __eflags;
				_t83 = __ebx;
				_push(0x3c);
				E00416B21(E00421EB1, __ebx, __edi, __esi);
				_t102 = __ecx;
				 *((intOrPtr*)(_t102 + 0x20)) = GetDlgItem( *(__ecx + 4), 0x3e9);
				E00411A09(_t102 + 0x20,  *((intOrPtr*)(_t102 + 0x28)));
				E0040320A(_t103 - 0x3c);
				 *(_t103 - 4) =  *(_t103 - 4) & 0x00000000;
				_t51 = E0040C825(_t103 - 0x3c, _t103 - 0x30, 0x45);
				 *(_t103 - 4) = 1;
				E00408639(_t103 - 0x3c, _t103, _t51);
				_push( *(_t103 - 0x30));
				 *(_t103 - 4) = 0;
				L00408BFB(__ebx, __edi, _t102, _t106);
				SetWindowTextW( *(_t102 + 4),  *(_t103 - 0x3c));
				E0040320A(_t103 - 0x30);
				 *(_t103 - 4) = 2;
				_t58 = E0040C825(_t103 - 0x30, _t103 - 0x24, 0x13);
				 *(_t103 - 4) = 3;
				E00408639(_t103 - 0x30, _t103, _t58);
				_push( *(_t103 - 0x24));
				 *(_t103 - 4) = 2;
				L00408BFB(__ebx, __edi, _t102, _t106);
				_t100 = SetDlgItemTextW;
				SetDlgItemTextW( *(_t102 + 4), 0x3e8,  *(_t103 - 0x30));
				E0040320A(_t103 - 0x24);
				 *(_t103 - 4) = 4;
				_t65 = E0040C825(_t103 - 0x24, _t103 - 0x18, 0x14);
				 *(_t103 - 4) = 5;
				E00408639(_t103 - 0x24, _t103, _t65);
				_push( *(_t103 - 0x18));
				 *(_t103 - 4) = 4;
				L00408BFB(__ebx, SetDlgItemTextW, _t102, _t106);
				SetDlgItemTextW( *(_t102 + 4), 1,  *(_t103 - 0x24));
				E0040320A(_t103 - 0x18);
				 *(_t103 - 4) = 6;
				_t72 = E0040C825(_t103 - 0x18, _t103 - 0x48, 0x15);
				 *(_t103 - 4) = 7;
				E00408639(_t103 - 0x18, _t103, _t72);
				_push( *((intOrPtr*)(_t103 - 0x48)));
				 *(_t103 - 4) = 6;
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				SetDlgItemTextW( *(_t102 + 4), 2,  *(_t103 - 0x18));
				E00410729(_t102);
				_push( *(_t103 - 0x18));
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				_push( *(_t103 - 0x24));
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				_push( *(_t103 - 0x30));
				L00408BFB(_t83, _t100, _t102, _t106);
				_push( *(_t103 - 0x3c));
				L00408BFB(_t83, _t100, _t102, _t106);
				return E00416BF9(0);
			}










                                                            0x00411a77
                                                            0x00411a77
                                                            0x00411a77
                                                            0x00411a7e
                                                            0x00411a83
                                                            0x00411a99
                                                            0x00411a9b
                                                            0x00411aa3
                                                            0x00411aa8
                                                            0x00411ab2
                                                            0x00411abb
                                                            0x00411abf
                                                            0x00411ac4
                                                            0x00411ac7
                                                            0x00411acb
                                                            0x00411ad8
                                                            0x00411ae1
                                                            0x00411aec
                                                            0x00411af0
                                                            0x00411af9
                                                            0x00411afd
                                                            0x00411b02
                                                            0x00411b05
                                                            0x00411b09
                                                            0x00411b11
                                                            0x00411b21
                                                            0x00411b26
                                                            0x00411b31
                                                            0x00411b35
                                                            0x00411b3e
                                                            0x00411b42
                                                            0x00411b47
                                                            0x00411b4a
                                                            0x00411b4e
                                                            0x00411b5d
                                                            0x00411b62
                                                            0x00411b6d
                                                            0x00411b71
                                                            0x00411b7a
                                                            0x00411b7e
                                                            0x00411b83
                                                            0x00411b86
                                                            0x00411b8a
                                                            0x00411b98
                                                            0x00411b9c
                                                            0x00411ba1
                                                            0x00411ba4
                                                            0x00411ba9
                                                            0x00411bac
                                                            0x00411bb1
                                                            0x00411bb4
                                                            0x00411bb9
                                                            0x00411bbc
                                                            0x00411bcb

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00411A7E
                                                            • GetDlgItem.USER32 ref: 00411A8D
                                                              • Part of subcall function 00411A09: SetWindowTextW.USER32(?,?), ref: 00411A0F
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00411AD8
                                                            • SetDlgItemTextW.USER32 ref: 00411B21
                                                            • SetDlgItemTextW.USER32 ref: 00411B5D
                                                            • SetDlgItemTextW.USER32 ref: 00411B98
                                                              • Part of subcall function 00410729: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00410735
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Text$Item$Window$H_prolog3MessageSend
                                                            • String ID:
                                                            • API String ID: 928829568-0
                                                            • Opcode ID: 25c92fc8b8b0deefc2545ec3da354cb65018240ee316845516b76547c056f4f6
                                                            • Instruction ID: b35731b5b207d9e68d92d03bfb8da29b4d9b2404adce00c662d50eeccadc7d86
                                                            • Opcode Fuzzy Hash: 25c92fc8b8b0deefc2545ec3da354cb65018240ee316845516b76547c056f4f6
                                                            • Instruction Fuzzy Hash: 46417C71800248EEDB01FBA5CD46EDDBBB8AF18319F10406EF145721E2DE796A05AB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412298, Relevance: 9.1, APIs: 6, Instructions: 51synchronizationwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00412298(void* __ecx, WCHAR* _a4, WCHAR* _a8, signed int _a12) {
				signed int _v8;
				WCHAR* _v12;
				void* _v16;
				void* _t37;

				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					MessageBoxW(0, _a4, _a8, _a12 | 0x00012000);
				} else {
					WaitForSingleObject( *(__ecx + 0x1c), 0xffffffff);
					_v16 = _a4;
					_v12 = _a8;
					_v8 = _a12;
					 *(_t37 + 0x14) = CreateEventW(0, 1, 0, 0);
					SendMessageW( *(_t37 + 4),  *(_t37 + 0x10), 0,  &_v16);
					CloseHandle( *(_t37 + 0x14));
					WaitForSingleObject( *(_t37 + 0x14), 0xffffffff);
				}
				return  *((intOrPtr*)(_t37 + 0xc));
			}







                                                            0x004122a0
                                                            0x004122a7
                                                            0x0041230b
                                                            0x004122a9
                                                            0x004122b5
                                                            0x004122bb
                                                            0x004122c2
                                                            0x004122cb
                                                            0x004122d4
                                                            0x004122e2
                                                            0x004122eb
                                                            0x004122f6
                                                            0x004122f8
                                                            0x00412317

                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 004122B5
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004122CE
                                                            • SendMessageW.USER32(?,?,00000000,?), ref: 004122E2
                                                            • CloseHandle.KERNEL32(?), ref: 004122EB
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004122F6
                                                            • MessageBoxW.USER32(00000000,?,?,?), ref: 0041230B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageObjectSingleWait$CloseCreateEventHandleSend
                                                            • String ID:
                                                            • API String ID: 3833482109-0
                                                            • Opcode ID: 44920d0e2901c177dbfc16c8892598c63b16038f6ad1b0fd031c99cde1ba5956
                                                            • Instruction ID: 05a45f98d4f0a9b26814a01a8a2d873a3ab4fc0ac20ff3765e6b91abeb90003f
                                                            • Opcode Fuzzy Hash: 44920d0e2901c177dbfc16c8892598c63b16038f6ad1b0fd031c99cde1ba5956
                                                            • Instruction Fuzzy Hash: B1111E76600208FFCB21DFA8DD84D9ABBF9FB083117108629F566D2160D774E9159F64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418FBB, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E00418FBB(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x42a608);
				E00417B6C(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00416A0D(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00418908(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00418908(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00418908(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00418908(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00416AB2(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E004190E1(_t48, _t53, _t55, _t57, _t61);
				return E00417BB1( *((intOrPtr*)(_t58 - 0x1c)));
			}







                                                            0x00418fbb
                                                            0x00418fbb
                                                            0x00418fbb
                                                            0x00418fbd
                                                            0x00418fc2
                                                            0x00418fc7
                                                            0x00418fc9
                                                            0x00418fcc
                                                            0x00418fcf
                                                            0x00418fd2
                                                            0x00418fd9
                                                            0x00418fea
                                                            0x00418ff8
                                                            0x00419006
                                                            0x0041900e
                                                            0x0041901c
                                                            0x00419022
                                                            0x00419029
                                                            0x0041902c
                                                            0x00419042
                                                            0x00419045
                                                            0x004190ba
                                                            0x004190c1
                                                            0x004190c8
                                                            0x004190d5

                                                            APIs
                                                            • __CreateFrameInfo.LIBCMT ref: 00418FE3
                                                              • Part of subcall function 00416A0D: __getptd.LIBCMT ref: 00416A1B
                                                              • Part of subcall function 00416A0D: __getptd.LIBCMT ref: 00416A29
                                                            • __getptd.LIBCMT ref: 00418FED
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __getptd.LIBCMT ref: 00418FFB
                                                            • __getptd.LIBCMT ref: 00419009
                                                            • __getptd.LIBCMT ref: 00419014
                                                            • _CallCatchBlock2.LIBCMT ref: 0041903A
                                                              • Part of subcall function 00416AB2: __CallSettingFrame@12.LIBCMT ref: 00416AFE
                                                              • Part of subcall function 004190E1: __getptd.LIBCMT ref: 004190F0
                                                              • Part of subcall function 004190E1: __getptd.LIBCMT ref: 004190FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1602911419-0
                                                            • Opcode ID: 579217b7b214393cdbf3c318ed8681e717d909f332bb998e76287aaa26f99446
                                                            • Instruction ID: 6df8628facb7d4bd9ee04be2732a904581002fda0bb0b1463858a6040737a04e
                                                            • Opcode Fuzzy Hash: 579217b7b214393cdbf3c318ed8681e717d909f332bb998e76287aaa26f99446
                                                            • Instruction Fuzzy Hash: EF11D7B1D10209DFDB00EFA5C846AED7BB4FF09318F50806EF854AB251DB389A919F59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412D6E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E00412D6E(intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v16;
				char _v32;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t28;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr* _t42;
				intOrPtr _t46;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t60;

				_t42 = __imp__#4;
				_t58 = _a4;
				if( *((char*)(_t58 + 0x118)) != 0) {
					L11:
					_t59 =  *((intOrPtr*)(_t58 + 0x11c));
					 *_a8 =  *_t42(_t59, E00417DDA(_t59));
					__eflags = 0;
					return 0;
				}
				_t56 = _t58 + 0x131;
				if( *_t56 == 0) {
					E00412902(_t42,  &_v56, _t56, _t58, __eflags);
					_t46 =  *((intOrPtr*)(_t58 + 0x6c));
					_v32 =  *_t56;
					 *((intOrPtr*)(_t58 + 0x12c)) = _t46;
					_t28 =  *0x430640; // 0x487e58
					__eflags = _t28;
					if(_t28 != 0) {
						 *((intOrPtr*)( *_t28 + 0x28))(_t28, _t46, 8);
					}
					E0040FC41( *((intOrPtr*)(_t58 + 0xbc)));
					_t31 =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0x68))))( &_v56, 0x1f5);
					__eflags = _t31 - 2;
					_t32 =  *0x430640; // 0x487e58
					if(_t31 != 2) {
						__eflags = _t32;
						if(_t32 != 0) {
							 *((intOrPtr*)( *_t32 + 0x28))(_t32,  *((intOrPtr*)(_t58 + 0x12c)), 2);
						}
						goto L10;
					} else {
						__eflags = _t32;
						if(__eflags == 0) {
							L10:
							_t57 = _v16;
							E004090CA(_t58 + 0x11c, _t60,  *_t42(_t57, E00417DDA(_t57)));
							_push(_v16);
							 *((char*)(_t58 + 0x118)) = 1;
							L00408BFB(_t42, _t57, _t58, __eflags);
							goto L11;
						}
						 *((intOrPtr*)( *_t32 + 0x28))(_t32,  *((intOrPtr*)(_t58 + 0x12c)), 4);
						_push(_v16);
						L00408BFB(_t42, _t56, _t58, __eflags);
						goto L2;
					}
				}
				L2:
				return 0x80004004;
			}




















                                                            0x00412d75
                                                            0x00412d7c
                                                            0x00412d87
                                                            0x00412e48
                                                            0x00412e48
                                                            0x00412e5c
                                                            0x00412e5e
                                                            0x00000000
                                                            0x00412e5e
                                                            0x00412d8d
                                                            0x00412d96
                                                            0x00412da5
                                                            0x00412dac
                                                            0x00412daf
                                                            0x00412db2
                                                            0x00412db8
                                                            0x00412dbd
                                                            0x00412dbf
                                                            0x00412dc7
                                                            0x00412dc7
                                                            0x00412dd0
                                                            0x00412de3
                                                            0x00412de5
                                                            0x00412de8
                                                            0x00412ded
                                                            0x00412e0c
                                                            0x00412e0e
                                                            0x00412e1b
                                                            0x00412e1b
                                                            0x00000000
                                                            0x00412def
                                                            0x00412def
                                                            0x00412df1
                                                            0x00412e1e
                                                            0x00412e1e
                                                            0x00412e33
                                                            0x00412e38
                                                            0x00412e3b
                                                            0x00412e42
                                                            0x00000000
                                                            0x00412e47
                                                            0x00412dfe
                                                            0x00412e01
                                                            0x00412e04
                                                            0x00000000
                                                            0x00412e09
                                                            0x00412ded
                                                            0x00412d98
                                                            0x00000000

                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00412E22
                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00412E2A
                                                            • _wcslen.LIBCMT ref: 00412E4F
                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00412E57
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AllocString_wcslen
                                                            • String ID: X~H
                                                            • API String ID: 1837159753-1414872000
                                                            • Opcode ID: 062f1729fe61ea59d46fd9248896aa2d3cc6dd8e4d692e0a712a37658542653c
                                                            • Instruction ID: e9c7c381ef061b1e0d686df2e615424e472c72a5b61756d386b86c00ce312959
                                                            • Opcode Fuzzy Hash: 062f1729fe61ea59d46fd9248896aa2d3cc6dd8e4d692e0a712a37658542653c
                                                            • Instruction Fuzzy Hash: 1E31D171200304AFD715DB60D841FEA77B9AF49310F10846EF685D7291CB78ADA1CBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412207, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25registrywindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00412207(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t15;

				_t15 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _a4;
				 *__ecx = 0x423e38;
				 *((char*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(_t15 + 0x1c)) = CreateEventW(0, 1, 0, 0);
				 *((intOrPtr*)(_t15 + 8)) = RegisterWindowMessageW(L"CDialog::MSG_CREATE_MODAL_DLG");
				 *((intOrPtr*)(_t15 + 0x10)) = RegisterWindowMessageW(L"CDialog::MSG_CREATE_MESSAGE_BOX");
				return _t15;
			}




                                                            0x0041220c
                                                            0x0041220f
                                                            0x00412219
                                                            0x0041221f
                                                            0x00412233
                                                            0x0041223d
                                                            0x00412242
                                                            0x00412249

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412222
                                                            • RegisterWindowMessageW.USER32(CDialog::MSG_CREATE_MODAL_DLG,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412236
                                                            • RegisterWindowMessageW.USER32(CDialog::MSG_CREATE_MESSAGE_BOX,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412240
                                                            Strings
                                                            • CDialog::MSG_CREATE_MODAL_DLG, xrefs: 0041222E
                                                            • CDialog::MSG_CREATE_MESSAGE_BOX, xrefs: 00412238
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageRegisterWindow$CreateEvent
                                                            • String ID: CDialog::MSG_CREATE_MESSAGE_BOX$CDialog::MSG_CREATE_MODAL_DLG
                                                            • API String ID: 2418267205-1515309323
                                                            • Opcode ID: a1f4990a0d09b2e152a2986f9456ecd0e7071f3338bf2d159a5823b6b1520f03
                                                            • Instruction ID: 7a56bd6417bd55e6eff5826dd3db06749024ae003c45236857a91da1aefad182
                                                            • Opcode Fuzzy Hash: a1f4990a0d09b2e152a2986f9456ecd0e7071f3338bf2d159a5823b6b1520f03
                                                            • Instruction Fuzzy Hash: EEE06DB2710350AFD3309F79AC04927FAF8EF55701791892FF491D3210D2B8E9058B94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418D0A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E00418D0A(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;
				void* _t25;

				_t26 = __esi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00418908(_t23, __edx, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00418908(_t23, __edx, _t25, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00418908(_t23, __edx, _t25, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x42a6c0);
						E00417B6C(_t23, _t25, __esi);
						_t19 =  *((intOrPtr*)(E00418908(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E00417BB1(E004182E8(_t23, _t24, _t25, _t26));
					}
				}
			}









                                                            0x00418d0a
                                                            0x00418d0a
                                                            0x00418d14
                                                            0x00418d1b
                                                            0x00418d3a
                                                            0x00418d41
                                                            0x00418d48
                                                            0x00418d4d
                                                            0x00418d4d
                                                            0x00418d4d
                                                            0x00000000
                                                            0x00418d1d
                                                            0x00418d1d
                                                            0x00418d22
                                                            0x00418d4f
                                                            0x00418d4f
                                                            0x00418d52
                                                            0x00418d24
                                                            0x00418d29
                                                            0x00419914
                                                            0x00419916
                                                            0x0041991b
                                                            0x00419925
                                                            0x0041992a
                                                            0x0041992c
                                                            0x00419930
                                                            0x0041993b
                                                            0x0041993b
                                                            0x0041994c
                                                            0x0041994c
                                                            0x00418d22

                                                            APIs
                                                            • __getptd.LIBCMT ref: 00418D24
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __getptd.LIBCMT ref: 00418D35
                                                            • __getptd.LIBCMT ref: 00418D43
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                            • String ID: MOC$csm
                                                            • API String ID: 803148776-1389381023
                                                            • Opcode ID: 248be03a206c6a55057d12ce47396a5383d0cb7058c7b3fb3aa76f8b972b7f58
                                                            • Instruction ID: 27ff82cd3330833795aa0bae25d065d47b14e5a22e3d47f3feb9cea4d9ff3d65
                                                            • Opcode Fuzzy Hash: 248be03a206c6a55057d12ce47396a5383d0cb7058c7b3fb3aa76f8b972b7f58
                                                            • Instruction Fuzzy Hash: E9E01AB12202088FC710AA65D44ABA933A8AB58318F1600AAE408CF363CB3CD8C0955B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041CBF4, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E0041CBF4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x42a800);
				E00417B6C(__ebx, __edi, __esi);
				_t31 = E00418908(__ebx, __edx, __edi, _t35);
				_t15 =  *0x42e020; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00419EA7(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x42dc68; // 0x2231600
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x42d840;
								if(__eflags != 0) {
									_push(_t33);
									E004174DE(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x42dc68; // 0x2231600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x42dc68; // 0x2231600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0041CC8F();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0041A9FE(_t29, _t31, 0x20);
				}
				return E00417BB1(_t33);
			}










                                                            0x0041cbf4
                                                            0x0041cbf4
                                                            0x0041cbf4
                                                            0x0041cbf4
                                                            0x0041cbf6
                                                            0x0041cbfb
                                                            0x0041cc05
                                                            0x0041cc07
                                                            0x0041cc0f
                                                            0x0041cc30
                                                            0x0041cc36
                                                            0x0041cc3a
                                                            0x0041cc3d
                                                            0x0041cc40
                                                            0x0041cc46
                                                            0x0041cc48
                                                            0x0041cc4a
                                                            0x0041cc4d
                                                            0x0041cc53
                                                            0x0041cc55
                                                            0x0041cc57
                                                            0x0041cc5d
                                                            0x0041cc5f
                                                            0x0041cc60
                                                            0x0041cc65
                                                            0x0041cc5d
                                                            0x0041cc55
                                                            0x0041cc66
                                                            0x0041cc6b
                                                            0x0041cc6e
                                                            0x0041cc74
                                                            0x0041cc78
                                                            0x0041cc78
                                                            0x0041cc7e
                                                            0x0041cc85
                                                            0x0041cc17
                                                            0x0041cc17
                                                            0x0041cc17
                                                            0x0041cc1c
                                                            0x0041cc20
                                                            0x0041cc25
                                                            0x0041cc2d

                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041CC00
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __amsg_exit.LIBCMT ref: 0041CC20
                                                            • __lock.LIBCMT ref: 0041CC30
                                                            • InterlockedDecrement.KERNEL32(?), ref: 0041CC4D
                                                            • InterlockedIncrement.KERNEL32(02231600), ref: 0041CC78
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                            • String ID:
                                                            • API String ID: 4271482742-0
                                                            • Opcode ID: 0d130036e55c6d8c92cbe47bde502ac891a0113e34d28d943e827f390023fd41
                                                            • Instruction ID: 342b5fc9f3facb3c44125a49419e8c9e1354d52a9280f9b853240e0c54386efc
                                                            • Opcode Fuzzy Hash: 0d130036e55c6d8c92cbe47bde502ac891a0113e34d28d943e827f390023fd41
                                                            • Instruction Fuzzy Hash: CF018E31E84721ABD720AF2A9C8979A7760AF04B15F50011BE80467390DB3C6DD2CBDD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417A2C, Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 64%
                                                            			E00417A2C(intOrPtr __edx, void* __edi, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				intOrPtr _v4;
				DWORD* _v12;
				void* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				void* _t30;
				void* _t36;
				DWORD* _t41;
				intOrPtr* _t43;
				void* _t45;
				void* _t51;
				long _t54;
				void* _t64;
				intOrPtr _t65;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr _t71;
				void* _t74;

				_t64 = __edi;
				_t61 = __edx;
				_t74 = _v24;
				E0041AC84(_v28);
				asm("int3");
				_t71 = _t74;
				_push(_t67);
				E0041871A();
				_t30 = E004186FA(E00418714());
				if(_t30 != 0) {
					_t54 = _a4;
					 *((intOrPtr*)(_t30 + 0x54)) =  *((intOrPtr*)(_t54 + 0x54));
					 *((intOrPtr*)(_t30 + 0x58)) =  *((intOrPtr*)(_t54 + 0x58));
					_t61 =  *((intOrPtr*)(_t54 + 4));
					_push(_t54);
					 *((intOrPtr*)(_t30 + 4)) =  *((intOrPtr*)(_t54 + 4));
					E00418922(_t51, __edi, _t67, __eflags);
				} else {
					_t67 = _a4;
					if(E0041874E(E00418714(), _t67) == 0) {
						ExitThread(GetLastError());
					}
					 *_t67 = GetCurrentThreadId();
				}
				_t79 =  *0x434300;
				if( *0x434300 != 0) {
					_t45 = E0041AFE0(_t79, 0x434300);
					_pop(_t54);
					_t80 = _t45;
					if(_t45 != 0) {
						 *0x434300(); // executed
					}
				}
				E004179F7(_t61, _t64, _t67, _t80); // executed
				asm("int3");
				_push(_t71);
				_push(_t54);
				_push(_t51);
				_push(_t64);
				_t65 = _v4;
				_v24 = 0;
				_t81 = _t65;
				if(_t65 != 0) {
					_push(_t67);
					E0041871A();
					_t68 = E0041AE0D(1, 0x214);
					__eflags = _t68;
					if(__eflags == 0) {
						L17:
						_push(_t68);
						E004174DE(0, _t65, _t68, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E0041AD6E(_v12);
						}
						_t36 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, _t61, _t65, __eflags) + 0x6c)));
						_push(_t68);
						E004187A8(0, _t65, _t68, __eflags);
						 *(_t68 + 4) =  *(_t68 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t68 + 0x58)) = _a12;
						_t41 = _a20;
						 *((intOrPtr*)(_t68 + 0x54)) = _t65;
						__eflags = _t41;
						if(_t41 == 0) {
							_t41 =  &_a8;
						}
						_t36 = CreateThread(_v0, _a4, E00417A38, _t68, _a16, _t41); // executed
						__eflags = _t36;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L17;
						}
					}
				} else {
					_t43 = E0041AD48(_t81);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t43 = 0x16;
					E0041B335(_t61, _t65, _t67);
					_t36 = 0;
				}
				return _t36;
			}























                                                            0x00417a2c
                                                            0x00417a2c
                                                            0x00417a2c
                                                            0x00417a32
                                                            0x00417a37
                                                            0x00417a3b
                                                            0x00417a3d
                                                            0x00417a3e
                                                            0x00417a49
                                                            0x00417a50
                                                            0x00417a7c
                                                            0x00417a82
                                                            0x00417a88
                                                            0x00417a8b
                                                            0x00417a8e
                                                            0x00417a8f
                                                            0x00417a92
                                                            0x00417a52
                                                            0x00417a52
                                                            0x00417a63
                                                            0x00417a6c
                                                            0x00417a6c
                                                            0x00417a78
                                                            0x00417a78
                                                            0x00417a97
                                                            0x00417a9e
                                                            0x00417aa5
                                                            0x00417aaa
                                                            0x00417aab
                                                            0x00417aad
                                                            0x00417aaf
                                                            0x00417aaf
                                                            0x00417aad
                                                            0x00417ab5
                                                            0x00417aba
                                                            0x00417abd
                                                            0x00417ac0
                                                            0x00417ac1
                                                            0x00417ac2
                                                            0x00417ac3
                                                            0x00417ac8
                                                            0x00417acb
                                                            0x00417acd
                                                            0x00417aeb
                                                            0x00417aec
                                                            0x00417afd
                                                            0x00417b01
                                                            0x00417b03
                                                            0x00417b4f
                                                            0x00417b4f
                                                            0x00417b50
                                                            0x00417b56
                                                            0x00417b59
                                                            0x00417b5e
                                                            0x00417b63
                                                            0x00417b64
                                                            0x00417b64
                                                            0x00417b05
                                                            0x00417b0a
                                                            0x00417b0d
                                                            0x00417b0e
                                                            0x00417b16
                                                            0x00417b1a
                                                            0x00417b1d
                                                            0x00417b22
                                                            0x00417b25
                                                            0x00417b27
                                                            0x00417b29
                                                            0x00417b29
                                                            0x00417b3c
                                                            0x00417b42
                                                            0x00417b44
                                                            0x00417b4c
                                                            0x00000000
                                                            0x00417b4c
                                                            0x00417b44
                                                            0x00417acf
                                                            0x00417acf
                                                            0x00417ad4
                                                            0x00417ad5
                                                            0x00417ad6
                                                            0x00417ad7
                                                            0x00417ad8
                                                            0x00417ad9
                                                            0x00417adf
                                                            0x00417ae7
                                                            0x00417ae7
                                                            0x00417b6a

                                                            APIs
                                                              • Part of subcall function 0041AC84: _doexit.LIBCMT ref: 0041AC90
                                                            • ___set_flsgetvalue.LIBCMT ref: 00417A3E
                                                              • Part of subcall function 0041871A: TlsGetValue.KERNEL32(?,00417A43), ref: 00418723
                                                              • Part of subcall function 0041871A: __decode_pointer.LIBCMT ref: 00418735
                                                              • Part of subcall function 0041871A: TlsSetValue.KERNEL32(00000000,00417A43), ref: 00418744
                                                            • ___fls_getvalue@4.LIBCMT ref: 00417A49
                                                              • Part of subcall function 004186FA: TlsGetValue.KERNEL32(?,?,00417A4E,00000000), ref: 00418708
                                                            • ___fls_setvalue@8.LIBCMT ref: 00417A5C
                                                              • Part of subcall function 0041874E: __decode_pointer.LIBCMT ref: 0041875F
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00417A65
                                                            • ExitThread.KERNEL32 ref: 00417A6C
                                                            • GetCurrentThreadId.KERNEL32 ref: 00417A72
                                                            • __freefls@4.LIBCMT ref: 00417A92
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00417AA5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                            • String ID:
                                                            • API String ID: 132634196-0
                                                            • Opcode ID: 59a878c804150c6aee79d0defe103255293982fc60a67c3d91ea100309f4ac37
                                                            • Instruction ID: a767db3d9a0cbb97adf9c0627760bb36d5894593ed74e0cff43f53381f065771
                                                            • Opcode Fuzzy Hash: 59a878c804150c6aee79d0defe103255293982fc60a67c3d91ea100309f4ac37
                                                            • Instruction Fuzzy Hash: 2EE0B671904205A7CF103BF38C4A8DF7A7DAE05399B20042EB92093552EF2DDA9246AE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419368, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 28%
                                                            			E00419368(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E004192D6(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00416765(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00418D53(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E00418FBB(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E0041672C(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                                                            0x00419368
                                                            0x00419368
                                                            0x00419368
                                                            0x00419368
                                                            0x00419368
                                                            0x0041936d
                                                            0x00419371
                                                            0x00419373
                                                            0x00419376
                                                            0x00419377
                                                            0x00419378
                                                            0x0041937b
                                                            0x00419380
                                                            0x00419380
                                                            0x00419383
                                                            0x00419387
                                                            0x0041938a
                                                            0x0041938f
                                                            0x0041938c
                                                            0x0041938c
                                                            0x0041938c
                                                            0x00419392
                                                            0x00419397
                                                            0x00419399
                                                            0x0041939c
                                                            0x0041939f
                                                            0x004193a0
                                                            0x004193a8
                                                            0x004193ad
                                                            0x004193b1
                                                            0x004193b4
                                                            0x004193b7
                                                            0x004193bd
                                                            0x004193be
                                                            0x004193c1
                                                            0x004193cb
                                                            0x004193cf
                                                            0x00000000
                                                            0x004193cf
                                                            0x004193d5

                                                            APIs
                                                            • ___BuildCatchObject.LIBCMT ref: 0041937B
                                                              • Part of subcall function 004192D6: ___BuildCatchObjectHelper.LIBCMT ref: 0041930C
                                                            • _UnwindNestedFrames.LIBCMT ref: 00419392
                                                            • ___FrameUnwindToState.LIBCMT ref: 004193A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                            • String ID: csm
                                                            • API String ID: 2163707966-1018135373
                                                            • Opcode ID: 63a8c01b2cfbc2af873947d8df69a081f22c1dca01e2e4dd082ec105b9986c10
                                                            • Instruction ID: e7868efc18412c9e077cac95ed549032f2f14645f1f76b68ebafbd800c385fcd
                                                            • Opcode Fuzzy Hash: 63a8c01b2cfbc2af873947d8df69a081f22c1dca01e2e4dd082ec105b9986c10
                                                            • Instruction Fuzzy Hash: B301E831000109BBDF126E52CC45EEB7F6AEF48358F04811AFD28151A1DB7AD9A1DBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040BB73, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E0040BB73(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;

				_push(4);
				E00416B21(E0042198A, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t37 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0x4239bc;
				 *((intOrPtr*)(__ecx + 8)) = 0x4239d4;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x4239e8;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x423a54;
				 *((intOrPtr*)(__ecx + 4)) = 0x423a3c;
				 *((intOrPtr*)(__ecx + 8)) = 0x423a28;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x423a14;
				E0040320A(__ecx + 0x14);
				 *((intOrPtr*)(_t37 - 4)) = 0;
				E0040320A(__ecx + 0x48);
				 *((char*)(_t37 - 4)) = 1;
				E0040320A(__ecx + 0x5c);
				 *((intOrPtr*)(__ecx + 0x6c)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 4;
				 *((intOrPtr*)(__ecx + 0x68)) = 0x423798;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				return E00416BF9(__ecx);
			}




                                                            0x0040bb73
                                                            0x0040bb7a
                                                            0x0040bb81
                                                            0x0040bb84
                                                            0x0040bb8b
                                                            0x0040bb92
                                                            0x0040bb9b
                                                            0x0040bba1
                                                            0x0040bba7
                                                            0x0040bbae
                                                            0x0040bbb5
                                                            0x0040bbbc
                                                            0x0040bbc4
                                                            0x0040bbc7
                                                            0x0040bbcf
                                                            0x0040bbd3
                                                            0x0040bbd8
                                                            0x0040bbdb
                                                            0x0040bbde
                                                            0x0040bbe1
                                                            0x0040bbe8
                                                            0x0040bbef
                                                            0x0040bbf2
                                                            0x0040bbff

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: (:B$<:B$9B
                                                            • API String ID: 431132790-4150366847
                                                            • Opcode ID: 5fb88bcb03bd3d23b32fda4363389a208182e758c4177cff56519ff8fdf4f310
                                                            • Instruction ID: 14911f69345f63bfd26f3c457765aa6d4ab56a5ca1e715dcb9b32a0d5c853c2d
                                                            • Opcode Fuzzy Hash: 5fb88bcb03bd3d23b32fda4363389a208182e758c4177cff56519ff8fdf4f310
                                                            • Instruction Fuzzy Hash: 4D01C5F0600B608EC720DF56D04525AFBF4AF54709B80C95F95E697A61C7BCA248CF48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411D1B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E00411D1B(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t12;
				char _t22;
				struct _CRITICAL_SECTION* _t25;
				intOrPtr* _t27;
				void* _t28;

				_push(4);
				E00416B21(E00421F0F, __ebx, __edi, __esi);
				_t27 = __ecx;
				_t25 = __ecx + 0x10;
				 *(_t28 - 0x10) = _t25;
				EnterCriticalSection(_t25);
				_t22 =  *((intOrPtr*)(_t28 + 8));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *((char*)(_t27 + 0x29)) = _t22;
				_t12 =  *0x430640; // 0x487e58
				if(_t12 != 0) {
					_t12 =  *((intOrPtr*)( *_t12 + 0x28))(_t12,  *_t27, ((0 | _t22 == 0x00000000) - 0x00000001 & 0x00000006) + 2);
				}
				LeaveCriticalSection(_t25);
				return E00416BF9(_t12);
			}








                                                            0x00411d1b
                                                            0x00411d22
                                                            0x00411d27
                                                            0x00411d29
                                                            0x00411d2d
                                                            0x00411d30
                                                            0x00411d36
                                                            0x00411d39
                                                            0x00411d3d
                                                            0x00411d40
                                                            0x00411d47
                                                            0x00411d5c
                                                            0x00411d5c
                                                            0x00411d60
                                                            0x00411d6b

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00411D22
                                                            • EnterCriticalSection.KERNEL32(?,00000004), ref: 00411D30
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00411D60
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterH_prolog3Leave
                                                            • String ID: X~H
                                                            • API String ID: 4250467438-1414872000
                                                            • Opcode ID: 310eb642471ac03972c4500e77b936ad43dd337fb284ead9ea7a710ec625eed1
                                                            • Instruction ID: a99e67caecdfe9c04bbbf54af61d8fc765505409f39f3815a3df6966baed54f9
                                                            • Opcode Fuzzy Hash: 310eb642471ac03972c4500e77b936ad43dd337fb284ead9ea7a710ec625eed1
                                                            • Instruction Fuzzy Hash: 1BF027712003509BC7109FA0D8846AF7BB5FF46346B14066DE6528B120C778DD49CB68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E2B2, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041E2B2(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0041B6F9( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0041E3E3( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0041AD48(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                                                            0x0041e2bc
                                                            0x0041e2c3
                                                            0x0041e2da
                                                            0x00000000
                                                            0x0041e2ca
                                                            0x0041e2cc
                                                            0x0041e2e6
                                                            0x0041e2eb
                                                            0x0041e2ee
                                                            0x0041e2f1
                                                            0x0041e31a
                                                            0x0041e321
                                                            0x0041e323
                                                            0x0041e3a4
                                                            0x0041e3bf
                                                            0x0041e3c1
                                                            0x0041e301
                                                            0x0041e301
                                                            0x0041e304
                                                            0x0041e306
                                                            0x0041e309
                                                            0x0041e309
                                                            0x0041e309
                                                            0x0041e309
                                                            0x00000000
                                                            0x0041e30f
                                                            0x0041e383
                                                            0x0041e383
                                                            0x0041e388
                                                            0x0041e38e
                                                            0x0041e391
                                                            0x0041e393
                                                            0x0041e396
                                                            0x0041e396
                                                            0x0041e396
                                                            0x0041e396
                                                            0x00000000
                                                            0x0041e39a
                                                            0x0041e325
                                                            0x0041e328
                                                            0x0041e32e
                                                            0x0041e331
                                                            0x0041e358
                                                            0x0041e35b
                                                            0x0041e361
                                                            0x00000000
                                                            0x00000000
                                                            0x0041e363
                                                            0x0041e366
                                                            0x00000000
                                                            0x00000000
                                                            0x0041e368
                                                            0x0041e368
                                                            0x0041e36e
                                                            0x0041e371
                                                            0x0041e2df
                                                            0x0041e2df
                                                            0x0041e37a
                                                            0x00000000
                                                            0x0041e37a
                                                            0x0041e333
                                                            0x0041e336
                                                            0x00000000
                                                            0x00000000
                                                            0x0041e33a
                                                            0x0041e34b
                                                            0x0041e351
                                                            0x0041e353
                                                            0x0041e356
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041e356
                                                            0x0041e2f3
                                                            0x0041e2f6
                                                            0x0041e2f8
                                                            0x0041e2fe
                                                            0x0041e2fe
                                                            0x00000000
                                                            0x0041e2ce
                                                            0x0041e2ce
                                                            0x0041e2d3
                                                            0x0041e2d7
                                                            0x0041e2d7
                                                            0x00000000
                                                            0x0041e2d3
                                                            0x0041e2cc

                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041E2E6
                                                            • __isleadbyte_l.LIBCMT ref: 0041E31A
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0041B83B,?,00000000,00000000,?,?,?,?,0041B83B), ref: 0041E34B
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0041B83B,00000001,00000000,00000000,?,?,?,?,0041B83B), ref: 0041E3B9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: fae03e345869caab92b8b7168c71cc03d22abb853247b91a096b241b8bbe7333
                                                            • Instruction ID: 06cc490f68b29341d32c057b6d3aa829f801d5644f6318d0223809272f2e9e98
                                                            • Opcode Fuzzy Hash: fae03e345869caab92b8b7168c71cc03d22abb853247b91a096b241b8bbe7333
                                                            • Instruction Fuzzy Hash: C3310E34A0028AEFDB20CF66C891DEE7BA5BF01311F1445AAECA48B290D334DD81DB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409C01, Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E00409C01(struct HWND__** __ecx, intOrPtr* _a4) {
				int _t10;
				signed int _t11;
				signed int _t12;
				signed int _t13;
				signed int _t15;
				int _t17;
				struct HWND__** _t25;
				intOrPtr _t26;
				intOrPtr* _t28;

				_t28 = _a4;
				 *(_t28 + 4) =  *(_t28 + 4) & 0x00000000;
				_t25 = __ecx;
				 *((short*)( *_t28)) = 0;
				_t17 = GetWindowTextLengthW( *__ecx);
				if(_t17 != 0) {
					_t10 = GetWindowTextW( *_t25, E00403FA3(_t28, _t17), _t17 + 1);
					_t26 =  *_t28;
					_t11 = E0040116F(_t26);
					 *((short*)(_t26 + _t11 * 2)) = 0;
					 *(_t28 + 4) = _t11;
					if(_t10 != 0) {
						_t12 = 1;
					} else {
						_t13 = GetLastError();
						asm("sbb eax, eax");
						_t12 =  ~( ~_t13);
					}
				} else {
					_t15 = GetLastError();
					asm("sbb eax, eax");
					_t12 =  ~_t15 + 1;
				}
				return _t12;
			}












                                                            0x00409c03
                                                            0x00409c07
                                                            0x00409c0e
                                                            0x00409c12
                                                            0x00409c1d
                                                            0x00409c21
                                                            0x00409c3d
                                                            0x00409c43
                                                            0x00409c48
                                                            0x00409c4f
                                                            0x00409c53
                                                            0x00409c58
                                                            0x00409c68
                                                            0x00409c5a
                                                            0x00409c5a
                                                            0x00409c62
                                                            0x00409c64
                                                            0x00409c64
                                                            0x00409c23
                                                            0x00409c23
                                                            0x00409c2b
                                                            0x00409c2d
                                                            0x00409c2d
                                                            0x00409c6d

                                                            APIs
                                                            • GetWindowTextLengthW.USER32 ref: 00409C17
                                                            • GetLastError.KERNEL32 ref: 00409C23
                                                            • GetWindowTextW.USER32 ref: 00409C3D
                                                            • GetLastError.KERNEL32(?,?,00000000,00000000,00000000), ref: 00409C5A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastTextWindow$Length
                                                            • String ID:
                                                            • API String ID: 3440162706-0
                                                            • Opcode ID: d29d1dabf7f37da445bba4c44006a9e540a00eec02cc97a31967c6722456d859
                                                            • Instruction ID: 0b3f5f8dc11d9cb6f52a592932b536abcf6f7bd2eff94a09abaf9dd0597dadaa
                                                            • Opcode Fuzzy Hash: d29d1dabf7f37da445bba4c44006a9e540a00eec02cc97a31967c6722456d859
                                                            • Instruction Fuzzy Hash: 5E018675714202ABD7205F78D888826B3FCEF59716710443AF447D32A0DF759C128B2D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C958, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E0041C958(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x42a7e0);
				E00417B6C(__ebx, __edi, __esi);
				_t28 = E00418908(__ebx, __edx, __edi, _t30);
				_t13 =  *0x42e020; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E00419EA7(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x42d830; // 0x42d758
					 *((intOrPtr*)(_t29 - 0x1c)) = E0041C91A(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E0041C9C2();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00418908(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0041A9FE(_t25, _t26, 0x20);
				}
				return E00417BB1(_t28);
			}







                                                            0x0041c958
                                                            0x0041c958
                                                            0x0041c958
                                                            0x0041c958
                                                            0x0041c958
                                                            0x0041c95a
                                                            0x0041c95f
                                                            0x0041c969
                                                            0x0041c96b
                                                            0x0041c973
                                                            0x0041c997
                                                            0x0041c999
                                                            0x0041c99f
                                                            0x0041c9a3
                                                            0x0041c9a6
                                                            0x0041c9b1
                                                            0x0041c9b4
                                                            0x0041c9bb
                                                            0x0041c975
                                                            0x0041c975
                                                            0x0041c979
                                                            0x00000000
                                                            0x0041c97b
                                                            0x0041c980
                                                            0x0041c980
                                                            0x0041c979
                                                            0x0041c985
                                                            0x0041c989
                                                            0x0041c98e
                                                            0x0041c996

                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041C964
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __getptd.LIBCMT ref: 0041C97B
                                                            • __amsg_exit.LIBCMT ref: 0041C989
                                                            • __lock.LIBCMT ref: 0041C999
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                            • String ID:
                                                            • API String ID: 3521780317-0
                                                            • Opcode ID: 949d4ace6e436c1979df6c52288330fee53b2dc502489d74444a9079756289a3
                                                            • Instruction ID: cd17e753ec4a28575be3e050727088d2e2c04aa294c6b3e927e7230be7d31612
                                                            • Opcode Fuzzy Hash: 949d4ace6e436c1979df6c52288330fee53b2dc502489d74444a9079756289a3
                                                            • Instruction Fuzzy Hash: 30F062B2EA07048AD720BB6688427DD76A06B00718F50415FE454672D1CF3C69C18B5E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041224C, Relevance: 6.0, APIs: 4, Instructions: 28synchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041224C(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t20;

				_t20 = __ecx;
				WaitForSingleObject( *(__ecx + 0x1c), 0xffffffff);
				 *(_t20 + 0x14) = CreateEventW(0, 1, 0, 0);
				E00411C40(_t20 + 4,  *((intOrPtr*)(_t20 + 8)), _a8, _a4);
				WaitForSingleObject( *(_t20 + 0x14), 0xffffffff);
				CloseHandle( *(_t20 + 0x14));
				return  *((intOrPtr*)(_t20 + 0xc));
			}




                                                            0x00412254
                                                            0x0041225b
                                                            0x00412275
                                                            0x0041227b
                                                            0x00412285
                                                            0x0041228a
                                                            0x00412295

                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041225B
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00412264
                                                              • Part of subcall function 00411C40: PostMessageW.USER32(?,?,?,?), ref: 00411C4E
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412285
                                                            • CloseHandle.KERNEL32(?), ref: 0041228A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ObjectSingleWait$CloseCreateEventHandleMessagePost
                                                            • String ID:
                                                            • API String ID: 1259710111-0
                                                            • Opcode ID: 688a9044c8813bffc1647393a113ac4df378807a7bac1586038bcedb71cd57a5
                                                            • Instruction ID: 587c63874120dfd8d7cb41ac1519f56cfecb811f02ec18e29ab156a93c3206fa
                                                            • Opcode Fuzzy Hash: 688a9044c8813bffc1647393a113ac4df378807a7bac1586038bcedb71cd57a5
                                                            • Instruction Fuzzy Hash: 3BF0F835104601AFDB31AF25ED04C67BBB9EB847217108A29F8A2926B4CA31A8169B71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404EF2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E00404EF2(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t106;
				intOrPtr _t116;
				signed char* _t124;
				void* _t130;
				void* _t141;
				signed int _t159;
				signed int _t161;
				signed int _t162;
				signed char* _t163;
				signed char* _t165;
				signed int _t167;
				void* _t168;

				_t159 = __edx;
				_push(0x5c);
				E00416B8A(E00421117, __ebx, __edi, __esi);
				_t165 =  *(_t168 + 8);
				_t141 = __ecx;
				 *(_t168 - 0x2c) = _t165;
				 *((intOrPtr*)(_t168 - 0x3c)) = E00403D5E( *((intOrPtr*)(__ecx + 0x18)), __edx, __edi);
				E00408B5A();
				E00408A61(_t165,  *((intOrPtr*)(_t168 - 0x3c)));
				_t161 = 0;
				 *(_t168 - 0x30) = 0;
				 *((intOrPtr*)(_t168 - 0x44)) = 0;
				 *((intOrPtr*)(_t168 - 0x48)) = 0;
				if( *((intOrPtr*)(_t168 - 0x3c)) > 0) {
					while(1) {
						 *((intOrPtr*)(_t168 - 0x60)) = 0x423364;
						 *(_t168 - 0x5c) = _t161;
						 *(_t168 - 0x58) = _t161;
						_push(_t168 - 0x68);
						 *(_t168 - 4) = _t161;
						E00404E79(_t141, _t165, _t161, _t165, __eflags);
						 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
						_push(_t161);
						L00408BFB(_t141, _t161, _t165, __eflags);
						_t162 =  *(_t165[0xc] + _t165[8] * 4 - 4);
						_t106 = L00403C4E( *(_t141 + 0x18), _t162);
						_t150 =  *(_t141 + 0x18);
						 *(_t168 - 0x21) = _t106;
						_t167 = _t106 & 0xf;
						E00403C65( *(_t141 + 0x18), _t168 - 0x20, _t167);
						__eflags = _t167 - 8;
						if(_t167 > 8) {
							goto L23;
						}
						__eflags = _t167;
						 *(_t168 - 0x38) = 0;
						 *(_t168 - 0x34) = 0;
						if(_t167 > 0) {
							 *(_t168 - 0x40) = 0;
							 *(_t168 - 0x28) = _t168 + _t167 - 0x21;
							do {
								_t150 =  *(_t168 - 0x40);
								asm("cdq");
								 *(_t168 - 0x38) =  *(_t168 - 0x38) | E00416FA0( *( *(_t168 - 0x28)) & 0x000000ff,  *(_t168 - 0x40), _t159);
								 *(_t168 - 0x34) =  *(_t168 - 0x34) | _t159;
								 *(_t168 - 0x28) =  *(_t168 - 0x28) - 1;
								 *(_t168 - 0x40) =  &(( *(_t168 - 0x40))[8]);
								_t167 = _t167 - 1;
								__eflags = _t167;
							} while (_t167 != 0);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000010;
						 *_t162 =  *(_t168 - 0x38);
						 *(_t162 + 4) =  *(_t168 - 0x34);
						if(( *(_t168 - 0x21) & 0x00000010) == 0) {
							_t116 = 1;
							__eflags = 1;
							 *((intOrPtr*)(_t162 + 0x14)) = 1;
						} else {
							 *((intOrPtr*)(_t162 + 0x14)) = E00403D5E( *(_t141 + 0x18), _t159, _t162);
							_t150 =  *(_t141 + 0x18);
							_t116 = E00403D5E( *(_t141 + 0x18), _t159, _t162);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000020;
						 *((intOrPtr*)(_t162 + 0x18)) = _t116;
						if(( *(_t168 - 0x21) & 0x00000020) != 0) {
							_t167 = E00403D5E( *(_t141 + 0x18), _t159, _t162);
							_t76 = _t162 + 8; // 0x107
							E0040140A(_t76, _t168, _t167);
							_t150 =  *(_t141 + 0x18);
							E00403C65( *(_t141 + 0x18),  *((intOrPtr*)(_t162 + 0x10)), _t167);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000080;
						if(( *(_t168 - 0x21) & 0x00000080) != 0) {
							goto L23;
						} else {
							 *(_t168 - 0x30) =  *(_t168 - 0x30) +  *((intOrPtr*)(_t162 + 0x14));
							 *((intOrPtr*)(_t168 - 0x44)) =  *((intOrPtr*)(_t168 - 0x44)) +  *((intOrPtr*)(_t162 + 0x18));
							 *((intOrPtr*)(_t168 - 0x48)) =  *((intOrPtr*)(_t168 - 0x48)) + 1;
							_t165 =  *(_t168 - 0x2c);
							__eflags =  *((intOrPtr*)(_t168 - 0x48)) -  *((intOrPtr*)(_t168 - 0x3c));
							if( *((intOrPtr*)(_t168 - 0x48)) <  *((intOrPtr*)(_t168 - 0x3c))) {
								_t161 = 0;
								__eflags = 0;
								continue;
							} else {
								goto L1;
							}
						}
						goto L29;
					}
					goto L23;
				} else {
					L1:
					_t163 =  &(_t165[0x14]);
					 *(_t168 - 0x28) =  *((intOrPtr*)(_t168 - 0x44)) - 1;
					E00408B5A();
					_t150 = _t163;
					E00408A61(_t163,  *(_t168 - 0x28));
					_t124 =  *(_t168 - 0x28);
					if(_t124 > 0) {
						 *(_t168 - 0x2c) = _t124;
						do {
							 *(_t168 - 0x38) = E00403D5E( *(_t141 + 0x18), _t159, _t163);
							_t130 = E00403D5E( *(_t141 + 0x18), _t159, _t163);
							_t150 = _t163;
							E00403DE7(_t163,  *(_t168 - 0x38), _t130);
							_t20 = _t168 - 0x2c;
							 *_t20 =  *(_t168 - 0x2c) - 1;
						} while ( *_t20 != 0);
					}
					_t162 =  *(_t168 - 0x30);
					if(_t162 <  *(_t168 - 0x28)) {
						L23:
						E00403C2E(_t150, _t162);
						goto L24;
					} else {
						_t162 = _t162 -  *(_t168 - 0x28);
						_t150 =  &(_t165[0x28]);
						 *(_t168 - 0x2c) =  &(_t165[0x28]);
						E00408A61( &(_t165[0x28]), _t162);
						if(_t162 != 1) {
							__eflags = _t162;
							if(_t162 > 0) {
								do {
									E0040105E( *(_t168 - 0x2c), E00403D5E( *(_t141 + 0x18), _t159, _t162));
									_t162 = _t162 - 1;
									__eflags = _t162;
								} while (_t162 != 0);
							}
						} else {
							_t162 = 0;
							if( *(_t168 - 0x30) > 0) {
								while(1) {
									_t150 = _t165;
									if(E00401237(_t165, _t162) < 0) {
										break;
									}
									_t162 = _t162 + 1;
									if(_t162 <  *(_t168 - 0x30)) {
										continue;
									} else {
									}
									goto L25;
								}
								L24:
								_t150 =  *(_t168 - 0x2c);
								E0040105E( *(_t168 - 0x2c), _t162);
							}
							L25:
							if( *((intOrPtr*)(_t167 + 0x30)) != 1) {
								goto L23;
							}
						}
					}
				}
				L29:
				return E00416C0D(_t141, _t162, _t167);
			}















                                                            0x00404ef2
                                                            0x00404ef2
                                                            0x00404ef9
                                                            0x00404efe
                                                            0x00404f01
                                                            0x00404f06
                                                            0x00404f10
                                                            0x00404f13
                                                            0x00404f1d
                                                            0x00404f22
                                                            0x00404f24
                                                            0x00404f27
                                                            0x00404f2a
                                                            0x00404f30
                                                            0x00404fca
                                                            0x00404fca
                                                            0x00404fd1
                                                            0x00404fd4
                                                            0x00404fda
                                                            0x00404fdd
                                                            0x00404fe0
                                                            0x00404fe5
                                                            0x00404fe9
                                                            0x00404fea
                                                            0x00404ff6
                                                            0x00404ffd
                                                            0x00405002
                                                            0x00405008
                                                            0x0040500b
                                                            0x00405013
                                                            0x00405018
                                                            0x0040501b
                                                            0x00000000
                                                            0x00000000
                                                            0x00405023
                                                            0x00405025
                                                            0x00405028
                                                            0x0040502b
                                                            0x0040502d
                                                            0x00405034
                                                            0x00405037
                                                            0x0040503d
                                                            0x00405040
                                                            0x00405046
                                                            0x00405049
                                                            0x0040504c
                                                            0x0040504f
                                                            0x00405053
                                                            0x00405053
                                                            0x00405053
                                                            0x00405037
                                                            0x00405056
                                                            0x0040505d
                                                            0x00405062
                                                            0x00405065
                                                            0x0040507e
                                                            0x0040507e
                                                            0x0040507f
                                                            0x00405067
                                                            0x0040506f
                                                            0x00405072
                                                            0x00405075
                                                            0x00405075
                                                            0x00405082
                                                            0x00405086
                                                            0x00405089
                                                            0x00405093
                                                            0x00405096
                                                            0x00405099
                                                            0x0040509e
                                                            0x004050a5
                                                            0x004050a5
                                                            0x004050aa
                                                            0x004050ae
                                                            0x00000000
                                                            0x004050b0
                                                            0x004050b3
                                                            0x004050b9
                                                            0x004050bc
                                                            0x004050c2
                                                            0x004050c5
                                                            0x004050c8
                                                            0x00404fc8
                                                            0x00404fc8
                                                            0x00000000
                                                            0x004050ce
                                                            0x00000000
                                                            0x004050ce
                                                            0x004050c8
                                                            0x00000000
                                                            0x004050ae
                                                            0x00000000
                                                            0x00404f36
                                                            0x00404f36
                                                            0x00404f3a
                                                            0x00404f3f
                                                            0x00404f42
                                                            0x00404f4a
                                                            0x00404f4c
                                                            0x00404f51
                                                            0x00404f56
                                                            0x00404f58
                                                            0x00404f5b
                                                            0x00404f66
                                                            0x00404f69
                                                            0x00404f72
                                                            0x00404f74
                                                            0x00404f79
                                                            0x00404f79
                                                            0x00404f79
                                                            0x00404f5b
                                                            0x00404f7e
                                                            0x00404f84
                                                            0x004050d3
                                                            0x004050d3
                                                            0x00000000
                                                            0x00404f8a
                                                            0x00404f8a
                                                            0x00404f8d
                                                            0x00404f91
                                                            0x00404f94
                                                            0x00404f9c
                                                            0x004050e9
                                                            0x004050eb
                                                            0x004050ed
                                                            0x004050f9
                                                            0x004050fe
                                                            0x004050fe
                                                            0x004050fe
                                                            0x004050ed
                                                            0x00404fa2
                                                            0x00404fa2
                                                            0x00404fa7
                                                            0x00404fad
                                                            0x00404fae
                                                            0x00404fb7
                                                            0x00000000
                                                            0x00000000
                                                            0x00404fbd
                                                            0x00404fc1
                                                            0x00000000
                                                            0x00000000
                                                            0x00404fc3
                                                            0x00000000
                                                            0x00404fc1
                                                            0x004050d8
                                                            0x004050d8
                                                            0x004050dc
                                                            0x004050dc
                                                            0x004050e1
                                                            0x004050e5
                                                            0x00000000
                                                            0x004050e7
                                                            0x004050e5
                                                            0x00404f9c
                                                            0x00404f84
                                                            0x00405101
                                                            0x00405106

                                                            APIs
                                                            • __EH_prolog3_GS.LIBCMT ref: 00404EF9
                                                              • Part of subcall function 00408A61: __CxxThrowException@8.LIBCMT ref: 00408A8C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Exception@8H_prolog3_Throw
                                                            • String ID: $d3B
                                                            • API String ID: 2985221223-198493696
                                                            • Opcode ID: a7477b0c66efa75ac5070eb5991b92a02dcb652aca25504d8e2e9fb72b76feb2
                                                            • Instruction ID: 2a29051ba39229ac5af4f25dd9e29a3bb43660fb59363973aee6b4079977c564
                                                            • Opcode Fuzzy Hash: a7477b0c66efa75ac5070eb5991b92a02dcb652aca25504d8e2e9fb72b76feb2
                                                            • Instruction Fuzzy Hash: 30612E71E006189BCF14EFAAC4819EEBBB5FF54314B10412FE855B7295CB38A951CFA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409724, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00409724(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t33;
				WCHAR* _t35;
				signed int _t36;
				signed int _t40;
				void* _t42;
				void* _t44;
				void* _t46;
				WCHAR* _t55;
				WCHAR* _t58;
				signed short* _t67;
				signed int _t69;
				void* _t71;

				_push(0x30);
				E00416B21(E00421683, __ebx, __edi, __esi);
				_t33 =  *((intOrPtr*)(_t71 + 0xc));
				 *(_t33 + 4) =  *(_t33 + 4) & 0x00000000;
				_t67 =  *(_t71 + 8);
				 *((short*)( *_t33)) = 0;
				_t35 = E0040116F(_t67);
				_t69 =  *_t67 & 0x0000ffff;
				_t55 = _t35;
				if(_t55 < 1 || _t69 == 0x5c || _t69 == 0x2e && (_t55 == 1 || _t55 == 2 && _t67[1] == _t69)) {
					L19:
					_t36 = 1;
					goto L20;
				} else {
					E0040320A(_t71 - 0x18);
					 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
					if(_t55 <= 3 || _t67[1] != 0x3a || _t67[2] != 0x5c) {
						L12:
						if( *((intOrPtr*)(_t71 - 0x10)) <= 0x105) {
							E0040110F(_t71 - 0x18, _t71, 0x105);
						}
						_t55 =  *(_t71 - 0x18);
						_t69 = GetCurrentDirectoryW(0x105, _t55);
						_t40 = E0040116F(_t55);
						_t58 =  &(_t55[_t40]);
						 *_t58 = 0;
						 *(_t71 - 0x14) = _t40;
						if(_t69 == 0 || _t69 > 0x104) {
							_push(_t55);
							L00408BFB(_t55, _t67, _t69, __eflags);
							_t36 = 0;
							L20:
							return E00416BF9(_t36);
						} else {
							_t90 =  *((short*)(_t58 - 2)) - 0x5c;
							if( *((short*)(_t58 - 2)) != 0x5c) {
								E00408670(_t71 - 0x18, 0, _t90, 0x5c);
							}
							goto L18;
						}
					} else {
						if(_t69 < 0x61 || _t69 > 0x7a) {
							if(_t69 <= 0x19) {
								goto L18;
							}
							goto L12;
						} else {
							L18:
							_t42 = E00401647(_t71 - 0x3c, _t71, L"\\\\?\\");
							_push(_t71 - 0x18);
							_push(_t42);
							_push(_t71 - 0x30);
							 *(_t71 - 4) = 1;
							_t44 = E004096A4(_t55, _t67, _t69, _t90);
							_push(_t67);
							_push(_t44);
							_push(_t71 - 0x24);
							 *(_t71 - 4) = 2;
							_t46 = E004096E4(_t55, 0, _t67, _t69, _t90);
							 *(_t71 - 4) = 3;
							E00408639( *((intOrPtr*)(_t71 + 0xc)), _t71, _t46);
							_push( *((intOrPtr*)(_t71 - 0x24)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *((intOrPtr*)(_t71 - 0x30)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *((intOrPtr*)(_t71 - 0x3c)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *(_t71 - 0x18));
							L00408BFB(_t55, _t67, _t69, _t90);
							goto L19;
						}
					}
				}
			}















                                                            0x00409724
                                                            0x0040972b
                                                            0x00409730
                                                            0x00409733
                                                            0x00409739
                                                            0x0040973f
                                                            0x00409742
                                                            0x00409747
                                                            0x0040974a
                                                            0x0040974f
                                                            0x00409861
                                                            0x00409861
                                                            0x00000000
                                                            0x0040977d
                                                            0x00409780
                                                            0x00409785
                                                            0x0040978c
                                                            0x004097b1
                                                            0x004097b9
                                                            0x004097bf
                                                            0x004097bf
                                                            0x004097c4
                                                            0x004097d0
                                                            0x004097d2
                                                            0x004097d9
                                                            0x004097dc
                                                            0x004097df
                                                            0x004097e4
                                                            0x0040986b
                                                            0x0040986c
                                                            0x00409872
                                                            0x00409863
                                                            0x00409868
                                                            0x004097f2
                                                            0x004097f2
                                                            0x004097f7
                                                            0x004097fe
                                                            0x004097fe
                                                            0x00000000
                                                            0x004097f7
                                                            0x0040979c
                                                            0x004097a0
                                                            0x004097af
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00409803
                                                            0x00409803
                                                            0x0040980b
                                                            0x00409813
                                                            0x00409814
                                                            0x00409818
                                                            0x00409819
                                                            0x0040981d
                                                            0x00409822
                                                            0x00409823
                                                            0x00409827
                                                            0x00409828
                                                            0x0040982c
                                                            0x00409835
                                                            0x00409839
                                                            0x0040983e
                                                            0x00409841
                                                            0x00409846
                                                            0x00409849
                                                            0x0040984e
                                                            0x00409851
                                                            0x00409856
                                                            0x00409859
                                                            0x00000000
                                                            0x0040985e
                                                            0x004097a0
                                                            0x0040978c

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040972B
                                                            • GetCurrentDirectoryW.KERNEL32(00000105,?,00000000,00000030,00409885,004092CF,004092CF,?,004092CF,?,?), ref: 004097C9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryH_prolog3
                                                            • String ID: \\?\
                                                            • API String ID: 1178058307-4282027825
                                                            • Opcode ID: f118a3f3290672144fe87a09f6360a8fcc3ebba0e06e33764bf4dd8cc817b3bd
                                                            • Instruction ID: 7bce271ab9a2bc83a85faa0d6a69cb040a839cacd886d03d576964d627563978
                                                            • Opcode Fuzzy Hash: f118a3f3290672144fe87a09f6360a8fcc3ebba0e06e33764bf4dd8cc817b3bd
                                                            • Instruction Fuzzy Hash: 3531B172C10215AACB24FBA5C886AEFB778AF15304F10843FE104772E3DB795E858799
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041DF34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041DF34() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x4341a0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x4341a0 = _t5;
				}
				_t6 = E0041AE0D(_t5, 4);
				 *0x433180 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x42dda0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x42e020) {
							break;
						}
						_t6 =  *0x433180; // 0x22320e0
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x42ddb0;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x4341c0 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x42de10);
					return 0;
				} else {
					 *0x4341a0 = _t26;
					_t6 = E0041AE0D(_t26, 4);
					 *0x433180 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}













                                                            0x0041df34
                                                            0x0041df3c
                                                            0x0041df3f
                                                            0x0041df4a
                                                            0x0041df4c
                                                            0x00000000
                                                            0x0041df4c
                                                            0x0041df41
                                                            0x0041df41
                                                            0x0041df4e
                                                            0x0041df4e
                                                            0x0041df4e
                                                            0x0041df56
                                                            0x0041df5d
                                                            0x0041df64
                                                            0x0041df84
                                                            0x0041df84
                                                            0x0041df86
                                                            0x0041df92
                                                            0x0041df92
                                                            0x0041df95
                                                            0x0041df98
                                                            0x0041dfa1
                                                            0x00000000
                                                            0x00000000
                                                            0x0041df8d
                                                            0x0041df8d
                                                            0x0041dfa5
                                                            0x0041dfa6
                                                            0x0041dfa8
                                                            0x0041dfae
                                                            0x0041dfc2
                                                            0x0041dfc8
                                                            0x0041dfd2
                                                            0x0041dfd2
                                                            0x0041dfd4
                                                            0x0041dfd7
                                                            0x0041dfd8
                                                            0x0041dfe4
                                                            0x0041df66
                                                            0x0041df69
                                                            0x0041df6f
                                                            0x0041df76
                                                            0x0041df7d
                                                            0x00000000
                                                            0x0041df7f
                                                            0x0041df81
                                                            0x0041df83
                                                            0x0041df83
                                                            0x0041df7d

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __calloc_crt
                                                            • String ID: B
                                                            • API String ID: 3494438863-2386870291
                                                            • Opcode ID: 9f15f0925eca237c65d6fa70714d8e4b72b97ca9536b99fd2ee5f47634c721da
                                                            • Instruction ID: 57d23638a4b1109f3cac8a2ec3f751d66eb44c115c110b22eca0b43510dbea81
                                                            • Opcode Fuzzy Hash: 9f15f0925eca237c65d6fa70714d8e4b72b97ca9536b99fd2ee5f47634c721da
                                                            • Instruction Fuzzy Hash: B411A7B1B08A105BEB188E1DBC406E62781AB94338B64423FF117CB2D0E73CD9C2868D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004190E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E004190E1(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00416A60(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00418908(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00418908(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00416A39(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00418E79(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                                                            0x004190e1
                                                            0x004190e1
                                                            0x004190e1
                                                            0x004190e1
                                                            0x004190e1
                                                            0x004190e4
                                                            0x004190ea
                                                            0x004190f8
                                                            0x004190fe
                                                            0x00419106
                                                            0x00419112
                                                            0x0041911a
                                                            0x00419122
                                                            0x00419136
                                                            0x00419138
                                                            0x0041913c
                                                            0x00419141
                                                            0x00419147
                                                            0x00419149
                                                            0x0041914b
                                                            0x0041914e
                                                            0x00000000
                                                            0x00419155
                                                            0x00419149
                                                            0x0041913c
                                                            0x00419136
                                                            0x00419122
                                                            0x00419156

                                                            APIs
                                                              • Part of subcall function 00416A60: __getptd.LIBCMT ref: 00416A66
                                                              • Part of subcall function 00416A60: __getptd.LIBCMT ref: 00416A76
                                                            • __getptd.LIBCMT ref: 004190F0
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __getptd.LIBCMT ref: 004190FE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.372214205.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.372207801.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372231367.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372241192.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372250401.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372257230.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.372267319.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                            • String ID: csm
                                                            • API String ID: 803148776-1018135373
                                                            • Opcode ID: 50699f1a80890500d77e109498acb33ef47d3a8ec0fa8618813f53853dd35842
                                                            • Instruction ID: 862809d12b44138affb2cba2f23c5514b0f11f00af2c3c7d3a6141e5c4f9d8c0
                                                            • Opcode Fuzzy Hash: 50699f1a80890500d77e109498acb33ef47d3a8ec0fa8618813f53853dd35842
                                                            • Instruction Fuzzy Hash: 90014F34801206AAEF349F66E5686EEB7B5AF11351F55481FE08166351CB388DC4CB8D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: LI180_win-1.5.1.exe PID: 6660 Parent PID: 5636 LI180_win-1.5.1.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:15.2%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:25

                                                            Graph

                                                            execution_graph 16835 409322 FindNextFileW 16836 409354 16835->16836 16837 40935f 16835->16837 16841 409208 16836->16841 16845 416b12 16837->16845 16840 40936d 16842 409243 16841->16842 16853 4090ca 16842->16853 16844 409260 16844->16837 16846 416b1a 16845->16846 16847 416b1c IsDebuggerPresent 16845->16847 16846->16840 17234 41d30f 16847->17234 16850 419ac9 SetUnhandledExceptionFilter UnhandledExceptionFilter 16851 419ae6 __invoke_watson 16850->16851 16852 419aee GetCurrentProcess TerminateProcess 16850->16852 16851->16852 16852->16840 16854 4090e2 16853->16854 16857 40110f 16854->16857 16856 4090ec 16856->16844 16858 40111d 16857->16858 16860 401134 16857->16860 16861 408bd0 16858->16861 16860->16856 16866 417414 16861->16866 16864 408bf9 16864->16860 16867 4174c7 16866->16867 16874 417426 16866->16874 16868 41ada0 __calloc_impl 7 API calls 16867->16868 16870 4174cd 16868->16870 16869 417437 16869->16874 16887 4185cb 16869->16887 16896 418420 16869->16896 16930 41aa52 16869->16930 16872 41ad48 __dosmaperr 68 API calls 16870->16872 16873 408bdc 16872->16873 16873->16864 16884 4166e0 16873->16884 16874->16869 16874->16873 16877 417483 RtlAllocateHeap 16874->16877 16879 4174b3 16874->16879 16882 4174b8 16874->16882 16933 4173c5 16874->16933 16941 41ada0 16874->16941 16877->16874 16944 41ad48 16879->16944 16883 41ad48 __dosmaperr 68 API calls 16882->16883 16883->16873 16885 416715 RaiseException 16884->16885 16886 416709 16884->16886 16885->16864 16886->16885 16947 41c65e 16887->16947 16890 4185df 16892 418420 __NMSG_WRITE 69 API calls 16890->16892 16894 418601 16890->16894 16891 41c65e __set_error_mode 69 API calls 16891->16890 16893 4185f7 16892->16893 16895 418420 __NMSG_WRITE 69 API calls 16893->16895 16894->16869 16895->16894 16897 418434 16896->16897 16898 41c65e __set_error_mode 66 API calls 16897->16898 16929 41858f 16897->16929 16899 418456 16898->16899 16900 418594 GetStdHandle 16899->16900 16902 41c65e __set_error_mode 66 API calls 16899->16902 16901 4185a2 _strlen 16900->16901 16900->16929 16905 4185bb WriteFile 16901->16905 16901->16929 16903 418467 16902->16903 16903->16900 16904 418479 16903->16904 16904->16929 16972 41c152 16904->16972 16905->16929 16908 4184af GetModuleFileNameA 16910 4184cd 16908->16910 16917 4184f0 _strlen 16908->16917 16912 41c152 _strcpy_s 66 API calls 16910->16912 16913 4184dd 16912->16913 16915 41b20d __invoke_watson 10 API calls 16913->16915 16913->16917 16914 418533 16997 41c535 16914->16997 16915->16917 16917->16914 16988 41c5a9 16917->16988 16920 418557 16923 41c535 _strcat_s 66 API calls 16920->16923 16922 41b20d __invoke_watson 10 API calls 16922->16920 16924 41856b 16923->16924 16926 41857c 16924->16926 16927 41b20d __invoke_watson 10 API calls 16924->16927 16925 41b20d __invoke_watson 10 API calls 16925->16914 17006 41c3cc 16926->17006 16927->16926 16929->16869 17050 41aa27 GetModuleHandleW 16930->17050 16934 4173d1 ___BuildCatchObject 16933->16934 16935 417402 ___BuildCatchObject 16934->16935 17054 419ea7 16934->17054 16935->16874 16937 4173e7 17061 41a6b9 16937->17061 16942 41867f __decode_pointer 7 API calls 16941->16942 16943 41adb0 16942->16943 16943->16874 17153 41888f GetLastError 16944->17153 16946 41ad4d 16946->16882 16948 41c66d 16947->16948 16949 41ad48 __dosmaperr 69 API calls 16948->16949 16952 4185d2 16948->16952 16950 41c690 16949->16950 16953 41b335 16950->16953 16952->16890 16952->16891 16956 41867f TlsGetValue 16953->16956 16955 41b345 __invoke_watson 16957 418697 16956->16957 16958 4186b8 GetModuleHandleW 16956->16958 16957->16958 16959 4186a1 TlsGetValue 16957->16959 16960 4186d3 GetProcAddress 16958->16960 16961 4186c8 16958->16961 16964 4186ac 16959->16964 16963 4186b0 16960->16963 16968 41a9ce 16961->16968 16966 4186e3 RtlDecodePointer 16963->16966 16967 4186eb 16963->16967 16964->16958 16964->16963 16966->16967 16967->16955 16969 41a9d9 Sleep GetModuleHandleW 16968->16969 16970 41a9f7 16969->16970 16971 4186ce 16969->16971 16970->16969 16970->16971 16971->16960 16971->16967 16973 41c163 16972->16973 16974 41c16a 16972->16974 16973->16974 16977 41c190 16973->16977 16975 41ad48 __dosmaperr 69 API calls 16974->16975 16980 41c16f 16975->16980 16976 41b335 __set_error_mode 7 API calls 16978 41849b 16976->16978 16977->16978 16979 41ad48 __dosmaperr 69 API calls 16977->16979 16978->16908 16981 41b20d 16978->16981 16979->16980 16980->16976 17033 417d60 16981->17033 16983 41b23a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16984 41b316 GetCurrentProcess TerminateProcess 16983->16984 16987 41b30a __invoke_watson 16983->16987 16985 416b12 __ehhandler$___std_fs_remove@4 5 API calls 16984->16985 16986 4184ac 16985->16986 16986->16908 16987->16984 16989 41c5bb 16988->16989 16991 418520 16989->16991 16993 41c5bf 16989->16993 16995 41c605 16989->16995 16990 41ad48 __dosmaperr 69 API calls 16992 41c5db 16990->16992 16991->16914 16991->16925 16994 41b335 __set_error_mode 7 API calls 16992->16994 16993->16990 16993->16991 16994->16991 16995->16991 16996 41ad48 __dosmaperr 69 API calls 16995->16996 16996->16992 16998 41c54d 16997->16998 17000 41c546 16997->17000 16999 41ad48 __dosmaperr 69 API calls 16998->16999 17005 41c552 16999->17005 17000->16998 17002 41c581 17000->17002 17001 41b335 __set_error_mode 7 API calls 17003 418546 17001->17003 17002->17003 17004 41ad48 __dosmaperr 69 API calls 17002->17004 17003->16920 17003->16922 17004->17005 17005->17001 17035 418676 17006->17035 17009 41c477 17013 41c4a1 17009->17013 17017 41867f __decode_pointer 7 API calls 17009->17017 17010 41c3ef LoadLibraryA 17011 41c404 GetProcAddress 17010->17011 17012 41c519 17010->17012 17011->17012 17014 41c41a 17011->17014 17012->16929 17016 41867f __decode_pointer 7 API calls 17013->17016 17032 41c4cc 17013->17032 17038 418604 TlsGetValue 17014->17038 17015 41867f __decode_pointer 7 API calls 17015->17012 17026 41c4e4 17016->17026 17019 41c494 17017->17019 17021 41867f __decode_pointer 7 API calls 17019->17021 17021->17013 17022 418604 __encode_pointer 7 API calls 17023 41c435 GetProcAddress 17022->17023 17024 418604 __encode_pointer 7 API calls 17023->17024 17025 41c44a GetProcAddress 17024->17025 17027 418604 __encode_pointer 7 API calls 17025->17027 17028 41867f __decode_pointer 7 API calls 17026->17028 17026->17032 17029 41c45f 17027->17029 17028->17032 17029->17009 17030 41c469 GetProcAddress 17029->17030 17031 418604 __encode_pointer 7 API calls 17030->17031 17031->17009 17032->17015 17034 417d6c __VEC_memzero 17033->17034 17034->16983 17036 418604 __encode_pointer 7 API calls 17035->17036 17037 41867d 17036->17037 17037->17009 17037->17010 17039 41863d GetModuleHandleW 17038->17039 17040 41861c 17038->17040 17041 418658 GetProcAddress 17039->17041 17042 41864d 17039->17042 17040->17039 17043 418626 TlsGetValue 17040->17043 17049 418635 17041->17049 17044 41a9ce __crt_waiting_on_module_handle 2 API calls 17042->17044 17045 418631 17043->17045 17046 418653 17044->17046 17045->17039 17045->17049 17046->17041 17047 418670 GetProcAddress 17046->17047 17047->17022 17048 418668 RtlEncodePointer 17048->17047 17049->17047 17049->17048 17051 41aa50 ExitProcess 17050->17051 17052 41aa3b GetProcAddress 17050->17052 17052->17051 17053 41aa4b 17052->17053 17053->17051 17055 419ebc 17054->17055 17056 419ecf EnterCriticalSection 17054->17056 17070 419de4 17055->17070 17056->16937 17058 419ec2 17058->17056 17096 41a9fe 17058->17096 17064 41a6e7 17061->17064 17062 41a780 17065 4173f2 17062->17065 17148 41a2d0 17062->17148 17064->17062 17064->17065 17141 41a220 17064->17141 17067 41740b 17065->17067 17152 419dcd LeaveCriticalSection 17067->17152 17069 417412 17069->16935 17071 419df0 ___BuildCatchObject 17070->17071 17072 419e16 17071->17072 17073 4185cb __FF_MSGBANNER 69 API calls 17071->17073 17080 419e26 ___BuildCatchObject 17072->17080 17103 41adc8 17072->17103 17075 419e05 17073->17075 17077 418420 __NMSG_WRITE 69 API calls 17075->17077 17081 419e0c 17077->17081 17078 419e47 17083 419ea7 __lock 69 API calls 17078->17083 17079 419e38 17082 41ad48 __dosmaperr 69 API calls 17079->17082 17080->17058 17084 41aa52 __mtinitlocknum 3 API calls 17081->17084 17082->17080 17085 419e4e 17083->17085 17084->17072 17086 419e82 17085->17086 17087 419e56 17085->17087 17088 4174de __freebuf 69 API calls 17086->17088 17109 41d326 17087->17109 17090 419e73 17088->17090 17126 419e9e 17090->17126 17091 419e61 17091->17090 17113 4174de 17091->17113 17094 419e6d 17095 41ad48 __dosmaperr 69 API calls 17094->17095 17095->17090 17097 4185cb __FF_MSGBANNER 69 API calls 17096->17097 17098 41aa08 17097->17098 17099 418420 __NMSG_WRITE 69 API calls 17098->17099 17100 41aa10 17099->17100 17101 41867f __decode_pointer 7 API calls 17100->17101 17102 419ece 17101->17102 17102->17056 17105 41add1 17103->17105 17104 417414 _malloc 68 API calls 17104->17105 17105->17104 17106 419e31 17105->17106 17107 41ade8 Sleep 17105->17107 17106->17078 17106->17079 17108 41adfd 17107->17108 17108->17105 17108->17106 17129 417b6c 17109->17129 17111 41d332 InitializeCriticalSectionAndSpinCount 17112 41d376 ___BuildCatchObject 17111->17112 17112->17091 17114 4174ea ___BuildCatchObject 17113->17114 17115 417529 17114->17115 17117 419ea7 __lock 67 API calls 17114->17117 17118 417563 __dosmaperr ___BuildCatchObject 17114->17118 17116 41753e RtlFreeHeap 17115->17116 17115->17118 17116->17118 17119 417550 17116->17119 17120 417501 ___sbh_find_block 17117->17120 17118->17094 17121 41ad48 __dosmaperr 67 API calls 17119->17121 17123 41751b 17120->17123 17130 419f0a 17120->17130 17122 417555 GetLastError 17121->17122 17122->17118 17137 417534 17123->17137 17140 419dcd LeaveCriticalSection 17126->17140 17128 419ea5 17128->17080 17129->17111 17131 419f49 17130->17131 17136 41a1eb 17130->17136 17132 41a135 VirtualFree 17131->17132 17131->17136 17133 41a199 17132->17133 17134 41a1a8 VirtualFree HeapFree 17133->17134 17133->17136 17135 416c30 ___BuildCatchObjectHelper __VEC_memcpy 17134->17135 17135->17136 17136->17123 17138 419dcd _doexit LeaveCriticalSection 17137->17138 17139 41753b 17138->17139 17139->17115 17140->17128 17142 41a233 HeapReAlloc 17141->17142 17143 41a267 HeapAlloc 17141->17143 17145 41a255 17142->17145 17147 41a251 17142->17147 17144 41a28a VirtualAlloc 17143->17144 17143->17147 17146 41a2a4 HeapFree 17144->17146 17144->17147 17145->17143 17146->17147 17147->17062 17149 41a2e7 VirtualAlloc 17148->17149 17151 41a32e 17149->17151 17151->17065 17152->17069 17167 41871a TlsGetValue 17153->17167 17156 4188fc SetLastError 17156->16946 17159 41867f __decode_pointer 7 API calls 17160 4188d4 17159->17160 17161 4188f3 17160->17161 17162 4188db 17160->17162 17164 4174de __freebuf 66 API calls 17161->17164 17178 4187a8 17162->17178 17166 4188f9 17164->17166 17165 4188e3 GetCurrentThreadId 17165->17156 17166->17156 17168 41874a 17167->17168 17169 41872f 17167->17169 17168->17156 17172 41ae0d 17168->17172 17170 41867f __decode_pointer 7 API calls 17169->17170 17171 41873a TlsSetValue 17170->17171 17171->17168 17173 41ae16 17172->17173 17175 4188ba 17173->17175 17176 41ae34 Sleep 17173->17176 17197 41d3b6 17173->17197 17175->17156 17175->17159 17177 41ae49 17176->17177 17177->17173 17177->17175 17213 417b6c 17178->17213 17180 4187b4 GetModuleHandleW 17181 4187c4 17180->17181 17182 4187cb 17180->17182 17183 41a9ce __crt_waiting_on_module_handle 2 API calls 17181->17183 17184 4187e2 GetProcAddress GetProcAddress 17182->17184 17185 418806 17182->17185 17186 4187ca 17183->17186 17184->17185 17187 419ea7 __lock 65 API calls 17185->17187 17186->17182 17188 418825 InterlockedIncrement 17187->17188 17214 41887d 17188->17214 17191 419ea7 __lock 65 API calls 17192 418846 17191->17192 17217 41c7f2 InterlockedIncrement 17192->17217 17194 418864 17229 418886 17194->17229 17196 418871 ___BuildCatchObject 17196->17165 17198 41d3c2 ___BuildCatchObject 17197->17198 17199 41d3da 17198->17199 17209 41d3f9 _memset 17198->17209 17200 41ad48 __dosmaperr 68 API calls 17199->17200 17201 41d3df 17200->17201 17202 41b335 __set_error_mode 7 API calls 17201->17202 17204 41d3ef ___BuildCatchObject 17202->17204 17203 41d46b RtlAllocateHeap 17203->17209 17204->17173 17205 41ada0 __calloc_impl 7 API calls 17205->17209 17206 419ea7 __lock 68 API calls 17206->17209 17207 41a6b9 ___sbh_alloc_block 5 API calls 17207->17209 17209->17203 17209->17204 17209->17205 17209->17206 17209->17207 17210 41d4b2 17209->17210 17211 419dcd _doexit LeaveCriticalSection 17210->17211 17212 41d4b9 17211->17212 17212->17209 17213->17180 17232 419dcd LeaveCriticalSection 17214->17232 17216 41883f 17216->17191 17218 41c810 InterlockedIncrement 17217->17218 17219 41c813 17217->17219 17218->17219 17220 41c820 17219->17220 17221 41c81d InterlockedIncrement 17219->17221 17222 41c82a InterlockedIncrement 17220->17222 17223 41c82d 17220->17223 17221->17220 17222->17223 17224 41c837 InterlockedIncrement 17223->17224 17226 41c83a 17223->17226 17224->17226 17225 41c853 InterlockedIncrement 17225->17226 17226->17225 17227 41c863 InterlockedIncrement 17226->17227 17228 41c86e InterlockedIncrement 17226->17228 17227->17226 17228->17194 17233 419dcd LeaveCriticalSection 17229->17233 17231 41888d 17231->17196 17232->17216 17233->17231 17234->16850 17235 413304 17238 413268 17235->17238 17237 41330c 17239 413274 __EH_prolog3 17238->17239 17244 4131b8 17239->17244 17241 41329c 17248 412ecf DeleteCriticalSection 17241->17248 17243 4132bc ~_Task_impl 17243->17237 17245 4131c1 17244->17245 17246 4131c5 DestroyWindow 17244->17246 17245->17241 17247 4131d5 17246->17247 17247->17241 17251 40fc1b 17248->17251 17250 412ee5 17250->17243 17252 40fc26 FindCloseChangeNotification 17251->17252 17255 40fc36 17251->17255 17253 40fc31 17252->17253 17252->17255 17256 40fbff GetLastError 17253->17256 17255->17250 17257 40fc09 17256->17257 17257->17255 17258 40d866 17259 4174de __freebuf 69 API calls 17258->17259 17260 40d86f 17259->17260 17261 4134e9 17264 4134a7 17261->17264 17263 4134f2 17265 4134b3 __EH_prolog3_catch 17264->17265 17270 413320 17265->17270 17267 4134cc 17301 412e93 17267->17301 17269 4134d3 ~_Task_impl 17269->17263 17271 41332c __EH_prolog3 17270->17271 17306 40320a 17271->17306 17275 413346 17276 41336b 17275->17276 17277 41334a 17275->17277 17315 40c59c 17276->17315 17383 408639 17277->17383 17279 413357 ~_Task_impl 17279->17267 17281 4133ab 17350 408bc5 17281->17350 17283 4133b9 17284 4133cd 17283->17284 17285 4133be 17283->17285 17354 404082 17284->17354 17287 408639 70 API calls 17285->17287 17287->17279 17288 4133d9 17357 4099df 17288->17357 17292 4133ee 17293 413432 17292->17293 17294 4133f2 17292->17294 17393 401647 17293->17393 17387 40c997 17294->17387 17297 41343f 17397 412551 17297->17397 17298 413401 17300 408639 70 API calls 17298->17300 17300->17279 18326 40fc41 WaitForSingleObject 17301->18326 17303 412e9e 17304 412ea5 PostMessageW 17303->17304 17305 412eb7 17303->17305 17304->17269 17305->17269 17307 40110f 70 API calls 17306->17307 17308 40321e 17307->17308 17309 409371 17308->17309 17310 40937d __EH_prolog3 17309->17310 17437 409263 17310->17437 17314 40939b ~_Task_impl 17314->17275 17316 40c5a8 __EH_prolog3 17315->17316 17317 408bd0 70 API calls 17316->17317 17318 40c5bc 17317->17318 17320 40c5ce 17318->17320 17517 40bb73 17318->17517 17321 40320a 70 API calls 17320->17321 17322 40c5f6 17321->17322 17323 40320a 70 API calls 17322->17323 17324 40c602 17323->17324 17325 40320a 70 API calls 17324->17325 17326 40c60e 17325->17326 17349 40c6d8 17326->17349 17525 4111e2 17326->17525 17330 40c700 17334 4096a4 70 API calls 17330->17334 17348 40c64c ~_Task_impl 17330->17348 17331 40c677 17536 408730 17331->17536 17332 40c63c GetLastError 17332->17348 17336 40c74a 17334->17336 17554 4087e6 17336->17554 17337 408639 70 API calls 17339 40c693 17337->17339 17539 408826 17339->17539 17342 4096a4 70 API calls 17346 40c757 17342->17346 17343 408639 70 API calls 17344 40c6bc 17343->17344 17542 40b902 17344->17542 17345 4087e6 70 API calls 17345->17346 17346->17342 17346->17345 17346->17348 17348->17281 17502 40c166 17349->17502 17351 408ba7 17350->17351 17352 408b5a ~_Task_impl 5 API calls 17351->17352 17353 408baf 17352->17353 17353->17283 17355 40110f 70 API calls 17354->17355 17356 40409c 17355->17356 17356->17288 17358 409a03 17357->17358 17359 4099ec 17357->17359 17361 410f49 17358->17361 17359->17358 17360 408670 70 API calls 17359->17360 17360->17358 17362 410f55 __EH_prolog3 17361->17362 17363 401647 70 API calls 17362->17363 17365 410f60 17363->17365 17364 410fa3 17366 404082 70 API calls 17364->17366 17365->17364 17367 406dda __VEC_memcpy 17365->17367 17376 410f8b ~_Task_impl 17365->17376 17378 410faf 17366->17378 17367->17364 17369 410fb8 GetLastError 17370 411021 17369->17370 17369->17378 17371 40320a 70 API calls 17370->17371 17373 411029 17371->17373 17372 408639 70 API calls 17381 411083 17372->17381 17374 409371 74 API calls 17373->17374 17377 41101f 17374->17377 17375 408730 70 API calls 17375->17378 17376->17292 17377->17372 17377->17376 17378->17369 17378->17375 17378->17376 17378->17377 17380 408639 70 API calls 17378->17380 18277 410b45 17378->18277 17379 408730 70 API calls 17379->17381 17380->17378 17381->17376 17381->17379 17382 410b45 74 API calls 17381->17382 17382->17381 17384 408645 17383->17384 17386 40865a 17383->17386 17385 40110f 70 API calls 17384->17385 17385->17386 17386->17279 17388 40c9a3 __EH_prolog3 17387->17388 18290 40c825 17388->18290 17392 40c9c3 ~_Task_impl 17392->17298 17394 40165e 17393->17394 17395 40110f 70 API calls 17394->17395 17396 401668 17395->17396 17396->17297 17398 41255d __EH_prolog3 17397->17398 17399 408639 70 API calls 17398->17399 17400 412581 17399->17400 17401 408639 70 API calls 17400->17401 17402 4125ad 17401->17402 17403 4099df 70 API calls 17402->17403 17404 4125ba 17403->17404 17405 40c825 71 API calls 17404->17405 17406 4125c5 17405->17406 17407 408639 70 API calls 17406->17407 17408 4125d4 17407->17408 17409 40c825 71 API calls 17408->17409 17410 4125ee 17409->17410 17411 408639 70 API calls 17410->17411 17412 412600 17411->17412 17413 40c825 71 API calls 17412->17413 17414 412617 17413->17414 17415 408639 70 API calls 17414->17415 17416 412629 17415->17416 17417 40c825 71 API calls 17416->17417 17418 412640 17417->17418 17419 408639 70 API calls 17418->17419 17420 412652 17419->17420 17421 40c825 71 API calls 17420->17421 17422 412669 17421->17422 17423 408639 70 API calls 17422->17423 17424 41267b 17423->17424 17425 40c825 71 API calls 17424->17425 17426 412692 17425->17426 17427 408639 70 API calls 17426->17427 17428 4126a4 17427->17428 17429 40c825 71 API calls 17428->17429 17430 4126bb 17429->17430 17431 408639 70 API calls 17430->17431 17432 4126cd 17431->17432 17433 40c825 71 API calls 17432->17433 17434 4126e4 17433->17434 17435 408639 70 API calls 17434->17435 17436 4126f6 ~_Task_impl 17435->17436 17436->17279 17438 409287 __EH_prolog3 17437->17438 17439 4091a4 FindClose 17438->17439 17440 40929d 17439->17440 17441 4092a1 17440->17441 17442 4092a5 FindFirstFileW 17440->17442 17445 416b12 __ehhandler$___std_fs_remove@4 5 API calls 17441->17445 17443 4092b9 17442->17443 17452 4092de 17442->17452 17446 40320a 70 API calls 17443->17446 17444 409208 70 API calls 17444->17441 17447 409318 17445->17447 17448 4092c1 17446->17448 17453 4091a4 17447->17453 17456 409876 17448->17456 17451 4092d3 FindFirstFileW 17451->17452 17452->17441 17452->17444 17454 4091ae FindClose 17453->17454 17455 4091b9 17453->17455 17454->17455 17455->17314 17459 409724 17456->17459 17458 4092cf 17458->17451 17458->17452 17460 409730 __EH_prolog3 17459->17460 17461 40320a 70 API calls 17460->17461 17466 40983e ~_Task_impl 17460->17466 17463 409785 17461->17463 17462 4097c4 GetCurrentDirectoryW 17467 4097d7 17462->17467 17463->17462 17464 40110f 70 API calls 17463->17464 17465 409803 17463->17465 17464->17462 17468 401647 70 API calls 17465->17468 17466->17458 17467->17465 17467->17466 17476 408670 17467->17476 17469 409810 17468->17469 17479 4096a4 17469->17479 17472 409822 17485 4096e4 17472->17485 17474 409831 17475 408639 70 API calls 17474->17475 17475->17466 17491 4084ef 17476->17491 17480 4096b0 __EH_prolog3 17479->17480 17481 404082 70 API calls 17480->17481 17482 4096c3 17481->17482 17495 408fde 17482->17495 17484 4096d9 ~_Task_impl 17484->17472 17486 4096f0 __EH_prolog3 17485->17486 17487 404082 70 API calls 17486->17487 17488 409703 17487->17488 17498 40966c 17488->17498 17490 409719 ~_Task_impl 17490->17474 17492 408533 17491->17492 17493 408503 17491->17493 17492->17465 17494 40110f 70 API calls 17493->17494 17494->17492 17496 4084ef 70 API calls 17495->17496 17497 408fee 17496->17497 17497->17484 17499 409679 17498->17499 17500 4084ef 70 API calls 17499->17500 17501 409683 17500->17501 17501->17490 17514 40c176 __EH_prolog3 17502->17514 17503 40b9d7 70 API calls 17503->17514 17504 40c418 17507 409a4a VariantClear 17504->17507 17505 408639 70 API calls 17505->17514 17506 40c58b 17509 409a4a VariantClear 17506->17509 17515 40c18b 17507->17515 17509->17515 17514->17503 17514->17504 17514->17505 17514->17506 17514->17515 17516 40bb33 70 API calls 17514->17516 17562 40c093 17514->17562 17573 409a4a 17514->17573 17577 40ba1b 17514->17577 17602 40bd49 17514->17602 17646 40b7a3 17514->17646 17515->17330 17516->17514 17518 40bb7f __EH_prolog3 17517->17518 17519 40320a 70 API calls 17518->17519 17520 40bbc1 17519->17520 17521 40320a 70 API calls 17520->17521 17522 40bbcc 17521->17522 17523 40320a 70 API calls 17522->17523 17524 40bbd8 ~_Task_impl 17523->17524 17524->17320 18246 403fa3 17525->18246 17528 40c638 17528->17331 17528->17332 17529 411228 17529->17528 17530 403fa3 70 API calls 17529->17530 17534 411268 17529->17534 17533 41124f GetFullPathNameW 17530->17533 17531 411282 lstrlenW 17532 41128d 17531->17532 18250 411105 17532->18250 17533->17534 17534->17528 17534->17531 17534->17532 18266 40869c 17536->18266 17538 408745 17538->17337 17540 40869c 70 API calls 17539->17540 17541 408840 17540->17541 17541->17343 17543 40b90e __EH_prolog3 17542->17543 17544 408639 70 API calls 17543->17544 17545 40b91d 17544->17545 17546 4096a4 70 API calls 17545->17546 17547 40b92a 17546->17547 17548 409371 74 API calls 17547->17548 17549 40b939 17548->17549 17550 40b967 17549->17550 17551 4166e0 __CxxThrowException@8 RaiseException 17549->17551 17552 408b5a ~_Task_impl 5 API calls 17550->17552 17551->17550 17553 40b96f ~_Task_impl 17552->17553 17553->17349 17555 4087f2 __EH_prolog3 17554->17555 17556 408bd0 70 API calls 17555->17556 17557 4087fb 17556->17557 17558 408812 17557->17558 17559 404082 70 API calls 17557->17559 17560 40105e 70 API calls 17558->17560 17559->17558 17561 40881e ~_Task_impl 17560->17561 17561->17346 17563 40c09f __EH_prolog3 17562->17563 17564 40c0b8 17563->17564 17565 40c0df 17563->17565 17567 408bd0 70 API calls 17564->17567 17566 40c0bf 17565->17566 17569 408bd0 70 API calls 17565->17569 17568 40bd49 122 API calls 17566->17568 17567->17566 17570 40c13c ~_Task_impl 17568->17570 17571 40c0eb 17569->17571 17570->17514 17571->17566 17572 40c117 GetLastError 17571->17572 17572->17570 17574 409a08 17573->17574 17575 409a29 VariantClear 17574->17575 17576 409a40 17574->17576 17575->17514 17576->17514 17578 40ba27 __EH_prolog3 17577->17578 17579 40ba62 17578->17579 17580 40ba4f 17578->17580 17582 40ba78 17579->17582 17583 40ba69 17579->17583 17581 409a4a VariantClear 17580->17581 17590 40ba5b ~_Task_impl 17581->17590 17585 40ba76 17582->17585 17586 40bb1a 17582->17586 17584 4090ca 70 API calls 17583->17584 17584->17585 17588 409a4a VariantClear 17585->17588 17587 409a4a VariantClear 17586->17587 17587->17590 17589 40ba9b 17588->17589 17589->17590 17591 408639 70 API calls 17589->17591 17590->17514 17592 40baab 17591->17592 17593 40bad1 17592->17593 17594 40baea 17592->17594 17595 40bb0d 17592->17595 17597 409a4a VariantClear 17593->17597 17598 408670 70 API calls 17594->17598 17595->17593 17596 40bafd 17595->17596 17599 409a4a VariantClear 17596->17599 17597->17590 17600 40baf3 17598->17600 17599->17590 17601 40966c 70 API calls 17600->17601 17601->17596 17603 40bd55 __EH_prolog3 17602->17603 17650 40908d 17603->17650 17606 40320a 70 API calls 17607 40bd81 17606->17607 17609 408826 70 API calls 17607->17609 17615 40bdae 17607->17615 17608 40bdd7 17686 40105e 17608->17686 17612 40bda1 17609->17612 17611 40be29 17621 40bde2 17611->17621 17642 40be34 17611->17642 17696 408a4d 17611->17696 17614 408639 70 API calls 17612->17614 17614->17615 17615->17608 17620 40bde7 17615->17620 17617 408bc5 ~_Task_impl 5 API calls 17622 40be45 ~_Task_impl 17617->17622 17619 40105e 70 API calls 17619->17620 17620->17611 17620->17619 17689 40b987 17620->17689 17693 40b786 17620->17693 17624 40bf62 17621->17624 17621->17642 17654 409f8a 17621->17654 17660 403975 17621->17660 17680 40469f 17621->17680 17622->17514 17623 40bfbf 17625 409a4a VariantClear 17623->17625 17624->17623 17626 4090ca 70 API calls 17624->17626 17624->17642 17627 40bfcb 17625->17627 17626->17623 17628 40c043 17627->17628 17629 40bfe5 17627->17629 17630 40b987 2 API calls 17628->17630 17631 401647 70 API calls 17629->17631 17632 40c04e 17630->17632 17633 40bff3 17631->17633 17635 40b72f 72 API calls 17632->17635 17634 401647 70 API calls 17633->17634 17636 40c000 17634->17636 17637 40c06c 17635->17637 17700 40b72f 17636->17700 17639 408639 70 API calls 17637->17639 17639->17642 17640 40c019 17641 408639 70 API calls 17640->17641 17641->17642 17642->17617 17647 40b7af __EH_prolog3 17646->17647 17648 409a4a VariantClear 17647->17648 17649 40b7ee ~_Task_impl 17648->17649 17649->17514 17651 40909e 17650->17651 17652 408826 70 API calls 17651->17652 17653 4090c3 17652->17653 17653->17606 17655 409f93 17654->17655 17656 409f9a 17654->17656 17655->17621 17706 4094d4 SetFilePointer 17656->17706 17661 403981 __EH_prolog3_catch_GS 17660->17661 17662 40469f 73 API calls 17661->17662 17663 4039f6 17662->17663 17664 403a31 17663->17664 17665 4039fc 17663->17665 17667 40320a 70 API calls 17664->17667 17716 4037b0 17665->17716 17668 403a45 17667->17668 17712 4060ec 17668->17712 17677 403a08 17725 416c1c 17677->17725 17681 4046b0 17680->17681 17685 409f8a 3 API calls 17681->17685 17682 4046c4 17683 4046d4 17682->17683 18111 404515 17682->18111 17683->17621 17685->17682 18121 408b62 17686->18121 17690 40b992 17689->17690 17691 40b9af 17689->17691 17690->17691 18125 4089e5 17690->18125 17691->17620 18129 408b8a 17693->18129 17697 408a5e 17696->17697 17699 40fc1b 2 API calls 17696->17699 18137 401a63 17696->18137 17697->17621 17699->17697 17701 40b73b __EH_prolog3 17700->17701 18199 40b644 17701->18199 17703 40b754 18220 40898e 17703->18220 17705 40b767 ~_Task_impl 17705->17640 17707 4094fd GetLastError 17706->17707 17708 409507 17706->17708 17707->17708 17709 409e0f 17708->17709 17710 409e16 17709->17710 17711 409e1a GetLastError 17709->17711 17710->17655 17711->17710 17713 4060f8 __EH_prolog3_catch 17712->17713 17728 405e50 17713->17728 17717 4037bc __EH_prolog3 17716->17717 18091 40331a 17717->18091 17719 4037cd ~_Task_impl 17719->17677 17726 416b12 __ehhandler$___std_fs_remove@4 5 API calls 17725->17726 17727 416c26 17726->17727 17727->17727 17729 405e5c __EH_prolog3 17728->17729 17747 403043 17729->17747 17893 402fb4 17747->17893 17894 408b5a ~_Task_impl 5 API calls 17893->17894 17895 402fbd 17894->17895 17896 408b5a ~_Task_impl 5 API calls 17895->17896 17897 402fc5 17896->17897 17898 408b5a ~_Task_impl 5 API calls 17897->17898 17899 402fcd 17898->17899 17900 408b5a ~_Task_impl 5 API calls 17899->17900 17901 402fd5 17900->17901 17902 408b5a ~_Task_impl 5 API calls 17901->17902 17903 402fdd 17902->17903 17904 408b5a ~_Task_impl 5 API calls 17903->17904 17905 402fe5 17904->17905 17906 408b5a ~_Task_impl 5 API calls 17905->17906 17907 402fef 17906->17907 17908 408b5a ~_Task_impl 5 API calls 17907->17908 17909 402ff7 17908->17909 17910 408b5a ~_Task_impl 5 API calls 17909->17910 17911 403004 17910->17911 17912 408b5a ~_Task_impl 5 API calls 17911->17912 17913 40300c 17912->17913 17914 408b5a ~_Task_impl 5 API calls 17913->17914 17915 403019 17914->17915 17916 408b5a ~_Task_impl 5 API calls 17915->17916 17917 403021 17916->17917 17918 408b5a ~_Task_impl 5 API calls 17917->17918 17919 40302e 17918->17919 17920 408b5a ~_Task_impl 5 API calls 17919->17920 17921 403036 17920->17921 18092 403326 __EH_prolog3 18091->18092 18093 408b5a ~_Task_impl 5 API calls 18092->18093 18094 40333a 18093->18094 18095 408bc5 ~_Task_impl 5 API calls 18094->18095 18096 403345 ~_Task_impl 18095->18096 18096->17719 18112 404521 __EH_prolog3 18111->18112 18113 40b06f GetLastError 18112->18113 18114 404531 18113->18114 18115 40140a 70 API calls 18114->18115 18116 404544 ~_Task_impl 18114->18116 18118 404568 _realloc 18115->18118 18116->17683 18117 416c30 ___BuildCatchObjectHelper __VEC_memcpy 18117->18118 18118->18116 18118->18117 18119 404651 _realloc 18118->18119 18120 409f8a 3 API calls 18119->18120 18120->18116 18122 401066 18121->18122 18123 408b6a 18121->18123 18122->17621 18124 408a61 70 API calls 18123->18124 18124->18122 18126 4089f2 18125->18126 18127 408a0b CharUpperW CharUpperW 18126->18127 18128 408a2d 18126->18128 18127->18126 18127->18128 18128->17690 18130 408b62 70 API calls 18129->18130 18131 408b92 18130->18131 18134 408afb 18131->18134 18135 416c30 ___BuildCatchObjectHelper __VEC_memcpy 18134->18135 18136 408b23 18135->18136 18136->17620 18142 401a78 18137->18142 18138 401aa6 18157 408b29 18138->18157 18142->18138 18143 40177a 18142->18143 18144 401786 __EH_prolog3 18143->18144 18145 408bc5 ~_Task_impl 5 API calls 18144->18145 18146 40179d 18145->18146 18147 408bc5 ~_Task_impl 5 API calls 18146->18147 18148 4017ac 18147->18148 18161 4015e5 18148->18161 18150 4017bb 18167 401489 18150->18167 18152 4017c7 18173 40b173 18152->18173 18156 4017de ~_Task_impl 18156->18142 18158 408b3d 18157->18158 18159 401ab4 18158->18159 18160 408afb __VEC_memcpy 18158->18160 18159->17697 18160->18159 18162 4015f1 __EH_prolog3 18161->18162 18163 408b5a ~_Task_impl 5 API calls 18162->18163 18164 401605 18163->18164 18165 408bc5 ~_Task_impl 5 API calls 18164->18165 18166 401610 ~_Task_impl 18165->18166 18166->18150 18168 401495 __EH_prolog3 18167->18168 18169 408b5a ~_Task_impl 5 API calls 18168->18169 18170 4014a9 18169->18170 18171 408bc5 ~_Task_impl 5 API calls 18170->18171 18172 4014b4 ~_Task_impl 18171->18172 18172->18152 18174 40b18a 18173->18174 18176 40b190 18173->18176 18195 40fca0 SetEvent 18174->18195 18177 40b19f 18176->18177 18198 40fc41 WaitForSingleObject 18176->18198 18179 40fc1b ctype 2 API calls 18177->18179 18180 40b1a5 18179->18180 18181 40fc1b ctype 2 API calls 18180->18181 18182 40b1ae 18181->18182 18183 40fc1b ctype 2 API calls 18182->18183 18184 4017d2 18183->18184 18185 40157a 18184->18185 18186 401586 __EH_prolog3 18185->18186 18187 408bc5 ~_Task_impl 5 API calls 18186->18187 18188 40159a 18187->18188 18189 408bc5 ~_Task_impl 5 API calls 18188->18189 18190 4015a6 18189->18190 18191 408bc5 ~_Task_impl 5 API calls 18190->18191 18192 4015b2 18191->18192 18193 408bc5 ~_Task_impl 5 API calls 18192->18193 18194 4015be ~_Task_impl 18193->18194 18194->18156 18196 40fc0b GetLastError 18195->18196 18197 40fcb2 18196->18197 18197->18176 18198->18177 18201 40b650 __EH_prolog3 18199->18201 18200 40b6d0 18203 40b701 18200->18203 18204 40b6dd 18200->18204 18201->18200 18202 408826 70 API calls 18201->18202 18205 40b680 18202->18205 18208 40b71a 18203->18208 18209 40b70a 18203->18209 18206 408730 70 API calls 18204->18206 18207 4089e5 ctype 2 API calls 18205->18207 18211 40b6e9 18206->18211 18212 40b68d 18207->18212 18210 4096a4 70 API calls 18208->18210 18213 4096e4 70 API calls 18209->18213 18215 40b6c5 ~_Task_impl 18210->18215 18214 4096a4 70 API calls 18211->18214 18212->18200 18216 40b6a6 18212->18216 18213->18215 18214->18215 18215->17703 18217 408730 70 API calls 18216->18217 18218 40b6b2 18217->18218 18219 4096a4 70 API calls 18218->18219 18219->18215 18225 408768 18220->18225 18222 4089a0 18235 40887e 18222->18235 18224 4089a8 18224->17705 18226 408774 __EH_prolog3 18225->18226 18227 40320a 70 API calls 18226->18227 18228 408786 18227->18228 18229 408670 70 API calls 18228->18229 18230 40879a 18229->18230 18231 408670 70 API calls 18230->18231 18232 4087a3 18231->18232 18233 408670 70 API calls 18232->18233 18234 4087ac ~_Task_impl 18233->18234 18234->18222 18236 4088c9 18235->18236 18237 40888f 18235->18237 18236->18224 18237->18236 18239 406dda 18237->18239 18240 406df0 18239->18240 18241 406e04 18240->18241 18243 406db3 18240->18243 18241->18236 18244 416c30 ___BuildCatchObjectHelper __VEC_memcpy 18243->18244 18245 406dd4 18244->18245 18245->18241 18247 403fb5 GetFullPathNameW 18246->18247 18248 403faf 18246->18248 18247->17529 18249 40110f 70 API calls 18248->18249 18249->18247 18252 411111 __EH_prolog3 _wcslen 18250->18252 18251 4111c8 ~_Task_impl 18251->17528 18252->18251 18262 410dd8 18252->18262 18255 410dd8 70 API calls 18256 411162 18255->18256 18257 408730 70 API calls 18256->18257 18260 411191 18256->18260 18258 41117c 18257->18258 18259 4089e5 ctype 2 API calls 18258->18259 18259->18260 18260->18251 18261 408670 70 API calls 18260->18261 18261->18260 18263 410de6 _wcslen 18262->18263 18264 401647 70 API calls 18263->18264 18265 410e11 18264->18265 18265->18255 18268 4086a8 __EH_prolog3 18266->18268 18267 4086d5 18269 40320a 70 API calls 18267->18269 18268->18267 18270 4086ca 18268->18270 18272 4086dd 18269->18272 18271 404082 70 API calls 18270->18271 18276 4086d3 ~_Task_impl 18271->18276 18273 40110f 70 API calls 18272->18273 18274 4086ea 18273->18274 18275 404082 70 API calls 18274->18275 18275->18276 18276->17538 18289 416b21 18277->18289 18279 410b51 CreateDirectoryW 18280 410b66 GetLastError 18279->18280 18286 410b62 ~_Task_impl 18279->18286 18281 410b73 18280->18281 18280->18286 18282 40320a 70 API calls 18281->18282 18283 410b7b 18282->18283 18284 409876 71 API calls 18283->18284 18285 410b8b 18284->18285 18285->18286 18287 410b8f CreateDirectoryW 18285->18287 18286->17378 18288 410ba0 18287->18288 18288->18286 18289->18279 18301 409be1 18290->18301 18293 40c93e 18294 40c94a __EH_prolog3 18293->18294 18295 404082 70 API calls 18294->18295 18296 40c95d 18295->18296 18297 401647 70 API calls 18296->18297 18298 40c971 18297->18298 18311 40c8c5 18298->18311 18300 40c983 ~_Task_impl 18300->17392 18304 409b71 18301->18304 18303 409bfa 18303->18293 18305 409b7d __EH_prolog3 18304->18305 18306 40320a 70 API calls 18305->18306 18307 409b8f 18306->18307 18308 403fa3 70 API calls 18307->18308 18309 409bb0 LoadStringW 18308->18309 18309->18307 18310 409bc6 ~_Task_impl 18309->18310 18310->18303 18312 40c8d7 18311->18312 18313 40c8db 18311->18313 18312->18300 18313->18312 18314 406dda __VEC_memcpy 18313->18314 18316 40c86e 18313->18316 18314->18313 18317 40c87d 18316->18317 18319 40c896 18317->18319 18320 40c83f 18317->18320 18319->18313 18321 40c84f 18320->18321 18322 4084ef 70 API calls 18321->18322 18323 40c85b 18322->18323 18324 406db3 __VEC_memcpy 18323->18324 18325 40c868 18324->18325 18325->18319 18326->17303 18327 40756b 18328 407578 18327->18328 18330 40757f 18327->18330 18331 407512 18328->18331 18332 40751e __EH_prolog3 18331->18332 18343 4070dc 18332->18343 18334 407535 18347 4070ab 18334->18347 18336 407541 18337 4070ab VirtualFree 18336->18337 18338 40754d 18337->18338 18339 4070ab VirtualFree 18338->18339 18340 407559 18339->18340 18341 4070ab VirtualFree 18340->18341 18342 407565 ~_Task_impl 18341->18342 18342->18330 18344 4070e8 __EH_prolog3 18343->18344 18351 40aaba 18344->18351 18346 4070f6 ~_Task_impl 18346->18334 18348 4070b7 __EH_prolog3 18347->18348 18357 40a897 18348->18357 18350 4070c5 ~_Task_impl 18350->18336 18354 40d894 18351->18354 18355 40d89b VirtualFree 18354->18355 18356 40aac4 18354->18356 18355->18356 18356->18346 18358 40d894 VirtualFree 18357->18358 18359 40a8a2 18358->18359 18359->18350 18360 411f51 18361 411f5e 18360->18361 18366 411f73 18360->18366 18369 411c5d KillTimer 18361->18369 18364 411f69 18364->18366 18367 411f8c 18364->18367 18365 411f8a 18370 4107bb 18366->18370 18394 411eba EndDialog 18367->18394 18369->18364 18371 4107d0 18370->18371 18375 41088b 18370->18375 18372 4108e1 18371->18372 18373 4107d9 18371->18373 18374 4108e8 GetDesktopWindow SetForegroundWindow 18372->18374 18372->18375 18373->18375 18376 4108b1 18373->18376 18377 4107f6 18373->18377 18374->18375 18375->18365 18407 41203e 18376->18407 18434 411a09 SetWindowTextW 18376->18434 18435 410729 SendMessageW 18376->18435 18377->18375 18378 410893 18377->18378 18379 410805 18377->18379 18395 411ec8 18378->18395 18381 410810 ShowWindow 18379->18381 18382 41084b 18379->18382 18380 4108b8 SetEvent 18380->18375 18383 41081b PeekMessageW 18381->18383 18382->18375 18384 410850 ShowWindow 18382->18384 18383->18383 18385 41082d 18383->18385 18386 41085b PeekMessageW 18384->18386 18436 41079e DialogBoxParamW 18385->18436 18386->18386 18388 41086d MessageBoxW SetEvent 18386->18388 18388->18375 18389 41083c SetEvent 18389->18382 18394->18365 18437 411cfc EnterCriticalSection LeaveCriticalSection 18395->18437 18397 411edc 18406 411f1d __aulldiv 18397->18406 18438 411e99 18397->18438 18401 411ef7 18402 411f07 18401->18402 18403 411f10 18401->18403 18446 411ddf 18402->18446 18442 411e2a 18403->18442 18406->18375 18450 416b21 18407->18450 18409 41204a GetDlgItem 18410 412097 SetTimer 18409->18410 18411 412077 LoadIconW SendMessageW 18409->18411 18451 411a09 SetWindowTextW 18410->18451 18411->18410 18413 4120b1 18414 411e99 PostMessageW 18413->18414 18415 4120b8 18414->18415 18416 40320a 70 API calls 18415->18416 18417 4120c0 18416->18417 18418 40c825 71 API calls 18417->18418 18419 4120ce 18418->18419 18420 408639 70 API calls 18419->18420 18421 4120db 18420->18421 18422 4120e6 SetDlgItemTextW 18421->18422 18423 40320a 70 API calls 18422->18423 18424 412101 18423->18424 18425 40c825 71 API calls 18424->18425 18426 412110 18425->18426 18427 408639 70 API calls 18426->18427 18428 41211d 18427->18428 18429 412129 SetDlgItemTextW 18428->18429 18452 410729 SendMessageW 18429->18452 18431 41213f 18432 40fca0 2 API calls 18431->18432 18433 41214e ~_Task_impl 18432->18433 18433->18380 18434->18380 18435->18380 18436->18389 18437->18397 18439 411ea2 PostMessageW 18438->18439 18440 411eb8 18438->18440 18439->18440 18441 411d6e EnterCriticalSection LeaveCriticalSection 18440->18441 18441->18401 18443 411e3f 18442->18443 18445 411e89 18443->18445 18449 411c72 SendMessageW 18443->18449 18445->18406 18447 411e06 18446->18447 18448 411e13 SendMessageW 18447->18448 18448->18403 18449->18445 18450->18409 18451->18413 18452->18431 18453 412970 18515 411cbc EnterCriticalSection LeaveCriticalSection 18453->18515 18455 41298e 18456 41298a 18456->18455 18457 40320a 70 API calls 18456->18457 18511 4129c7 18456->18511 18459 4129df 18457->18459 18458 409a4a VariantClear 18458->18455 18460 4129f3 18459->18460 18461 4129e5 18459->18461 18463 4090ca 70 API calls 18460->18463 18460->18511 18462 408639 70 API calls 18461->18462 18464 4129f1 18462->18464 18463->18464 18465 408639 70 API calls 18464->18465 18470 412a21 18465->18470 18466 412a4c 18467 409a4a VariantClear 18466->18467 18467->18511 18468 412a76 18469 409a4a VariantClear 18468->18469 18469->18511 18470->18466 18470->18468 18471 412ad0 18470->18471 18472 412add 18470->18472 18507 412d44 18470->18507 18473 409a4a VariantClear 18471->18473 18474 409a4a VariantClear 18472->18474 18473->18466 18475 412af4 18474->18475 18475->18466 18476 412b10 18475->18476 18476->18468 18516 40900b 18476->18516 18478 412b60 18479 412b72 18478->18479 18480 412b65 18478->18480 18481 404082 70 API calls 18479->18481 18550 4085b9 18480->18550 18484 412b7e 18481->18484 18483 412ba0 18485 4096a4 70 API calls 18483->18485 18484->18483 18527 412707 18484->18527 18487 412bb1 18485->18487 18488 412bb6 18487->18488 18489 412c0c 18487->18489 18491 408639 70 API calls 18488->18491 18490 40320a 70 API calls 18489->18490 18492 412c14 18490->18492 18493 412bc4 18491->18493 18496 409371 74 API calls 18492->18496 18494 412bd2 18493->18494 18495 412bc9 18493->18495 18535 4109de 18494->18535 18556 410ae4 18495->18556 18499 412c1f 18496->18499 18512 412c47 18499->18512 18566 410bbb 18499->18566 18501 408639 70 API calls 18501->18507 18502 412bd0 18505 4085b9 ~_Task_impl 5 API calls 18502->18505 18503 412c2b 18506 408639 70 API calls 18503->18506 18503->18512 18504 408bd0 70 API calls 18504->18512 18508 412bf6 18505->18508 18506->18512 18509 409a4a VariantClear 18508->18509 18509->18511 18511->18458 18512->18504 18513 412d10 18512->18513 18514 408639 70 API calls 18512->18514 18547 40999d 18512->18547 18513->18501 18514->18512 18515->18456 18517 409017 __EH_prolog3 18516->18517 18518 408b5a ~_Task_impl 5 API calls 18517->18518 18519 40901f 18518->18519 18520 40320a 70 API calls 18519->18520 18526 409027 18520->18526 18521 409070 18522 4087e6 70 API calls 18521->18522 18523 40907c ~_Task_impl 18522->18523 18523->18478 18524 4087e6 70 API calls 18524->18526 18525 408670 70 API calls 18525->18526 18526->18521 18526->18523 18526->18524 18526->18525 18528 412713 __EH_prolog3 18527->18528 18529 404082 70 API calls 18528->18529 18531 41271f 18529->18531 18530 408fde 70 API calls 18530->18531 18531->18530 18532 410b45 74 API calls 18531->18532 18533 412752 ~_Task_impl 18531->18533 18534 408670 70 API calls 18531->18534 18532->18531 18533->18483 18534->18531 18579 416b21 18535->18579 18537 4109ea CreateFileW 18538 410a11 18537->18538 18539 410a3f 18537->18539 18540 40320a 70 API calls 18538->18540 18541 410a50 SetFileTime FindCloseChangeNotification 18539->18541 18543 410a70 ~_Task_impl 18539->18543 18542 410a19 18540->18542 18541->18543 18544 409876 71 API calls 18542->18544 18543->18502 18545 410a29 18544->18545 18545->18539 18546 410a2d CreateFileW 18545->18546 18546->18539 18580 409986 18547->18580 18551 4085c5 __EH_prolog3 18550->18551 18552 408b5a ~_Task_impl 5 API calls 18551->18552 18553 4085d9 18552->18553 18554 408bc5 ~_Task_impl 5 API calls 18553->18554 18555 4085e4 ~_Task_impl 18554->18555 18555->18468 18601 416b21 18556->18601 18558 410af0 RemoveDirectoryW 18559 410b03 18558->18559 18565 410aff ~_Task_impl 18558->18565 18560 40320a 70 API calls 18559->18560 18561 410b0b 18560->18561 18562 409876 71 API calls 18561->18562 18563 410b1b 18562->18563 18564 410b22 RemoveDirectoryW 18563->18564 18563->18565 18564->18565 18565->18502 18567 410bc7 __EH_prolog3 18566->18567 18602 410a7a 18567->18602 18569 410bd1 18570 410bd5 DeleteFileW 18569->18570 18573 410be4 ~_Task_impl 18569->18573 18571 410be8 18570->18571 18570->18573 18572 40320a 70 API calls 18571->18572 18574 410bf0 18572->18574 18573->18503 18575 409876 71 API calls 18574->18575 18576 410c00 18575->18576 18576->18573 18577 410c07 DeleteFileW 18576->18577 18578 410c13 18577->18578 18578->18573 18579->18537 18583 409969 18580->18583 18586 409899 18583->18586 18585 409983 18585->18512 18587 4098a5 __EH_prolog3 18586->18587 18598 409469 18587->18598 18590 4098b0 CreateFileW 18591 4098d2 18590->18591 18592 409902 ~_Task_impl 18590->18592 18593 40320a 70 API calls 18591->18593 18592->18585 18594 4098da 18593->18594 18595 409876 71 API calls 18594->18595 18596 4098e9 18595->18596 18596->18592 18597 4098ed CreateFileW 18596->18597 18597->18592 18599 409473 FindCloseChangeNotification 18598->18599 18600 40947e 18598->18600 18599->18600 18600->18590 18600->18592 18601->18558 18613 416b21 18602->18613 18604 410a86 SetFileAttributesW 18605 410a9c 18604->18605 18608 410a98 ~_Task_impl 18604->18608 18606 40320a 70 API calls 18605->18606 18607 410aa4 18606->18607 18609 409876 71 API calls 18607->18609 18608->18569 18610 410ab4 18609->18610 18610->18608 18611 410ab8 SetFileAttributesW 18610->18611 18612 410aca 18611->18612 18612->18608 18613->18604 18614 409535 ReadFile 18615 402a96 18625 402769 18615->18625 18617 40278e 18619 40246d 5 API calls 18617->18619 18618 408bd0 70 API calls 18618->18625 18620 4027ae 18619->18620 18635 40232f 18620->18635 18621 40246d 5 API calls 18621->18625 18624 40232f ~_Task_impl 5 API calls 18624->18625 18625->18617 18625->18618 18625->18621 18625->18624 18626 40288e 18625->18626 18631 401adb 119 API calls 18625->18631 18632 40ac17 18625->18632 18641 402b81 18625->18641 18627 40246d 5 API calls 18626->18627 18628 4028bf 18627->18628 18629 40232f ~_Task_impl 5 API calls 18628->18629 18630 4026f5 18629->18630 18631->18625 18645 4124da 18632->18645 18636 40233b __EH_prolog3 18635->18636 18637 408b5a ~_Task_impl 5 API calls 18636->18637 18638 40234f 18637->18638 18639 408bc5 ~_Task_impl 5 API calls 18638->18639 18640 40235a ~_Task_impl 18639->18640 18640->18630 18642 402b8d __EH_prolog3 18641->18642 18643 408bd0 70 API calls 18642->18643 18644 402bc1 ~_Task_impl 18643->18644 18644->18625 18650 411da6 18645->18650 18648 40ac21 18648->18625 18653 411dab 18650->18653 18652 411dc9 18652->18648 18656 4123c2 18652->18656 18653->18652 18655 411db6 Sleep 18653->18655 18662 411cfc EnterCriticalSection LeaveCriticalSection 18653->18662 18663 411cbc EnterCriticalSection LeaveCriticalSection 18653->18663 18655->18653 18664 416b21 18656->18664 18658 4123ce EnterCriticalSection 18659 412447 LeaveCriticalSection 18658->18659 18661 4123f6 18658->18661 18660 412455 ~_Task_impl 18659->18660 18660->18648 18661->18659 18662->18653 18663->18653 18664->18658 18665 40781a 18666 407821 18665->18666 18667 407826 18665->18667 18671 40dc31 18667->18671 18669 407841 18669->18666 18675 40d84e 18669->18675 18672 40dc54 18671->18672 18673 416b12 __ehhandler$___std_fs_remove@4 5 API calls 18672->18673 18674 40dc70 18673->18674 18674->18669 18676 40d855 18675->18676 18677 40d859 18675->18677 18676->18666 18678 417414 _malloc 69 API calls 18677->18678 18678->18676 18679 401aba 18680 401ac7 18679->18680 18682 401ace 18679->18682 18683 40193f 18680->18683 18684 40194b __EH_prolog3 18683->18684 18691 401616 18684->18691 18686 40195f 18697 401549 18686->18697 18688 40196b 18703 4011ee 18688->18703 18690 401977 ~_Task_impl 18690->18682 18692 401622 __EH_prolog3 18691->18692 18693 408b5a ~_Task_impl 5 API calls 18692->18693 18694 401636 18693->18694 18695 408bc5 ~_Task_impl 5 API calls 18694->18695 18696 401641 ~_Task_impl 18695->18696 18696->18686 18698 401555 __EH_prolog3 18697->18698 18699 408b5a ~_Task_impl 5 API calls 18698->18699 18700 401569 18699->18700 18701 408bc5 ~_Task_impl 5 API calls 18700->18701 18702 401574 ~_Task_impl 18701->18702 18702->18688 18704 4011fa __EH_prolog3 18703->18704 18705 408bc5 ~_Task_impl 5 API calls 18704->18705 18706 40120e 18705->18706 18707 408bc5 ~_Task_impl 5 API calls 18706->18707 18708 40121a 18707->18708 18709 408bc5 ~_Task_impl 5 API calls 18708->18709 18710 401226 18709->18710 18711 408bc5 ~_Task_impl 5 API calls 18710->18711 18712 401231 ~_Task_impl 18711->18712 18712->18690 18713 4124ba 18716 412324 18713->18716 18715 4124d5 18722 416b21 18716->18722 18718 412330 EnterCriticalSection 18719 4123b1 LeaveCriticalSection 18718->18719 18721 412364 18718->18721 18720 4123bf ~_Task_impl 18719->18720 18720->18715 18721->18719 18722->18718 18723 4224fe 18724 40110f 70 API calls 18723->18724 18725 42250a 18724->18725 18728 417693 18725->18728 18731 417657 18728->18731 18730 4176a0 18732 417663 ___BuildCatchObject 18731->18732 18739 41aa6a 18732->18739 18738 417684 ___BuildCatchObject 18738->18730 18740 419ea7 __lock 69 API calls 18739->18740 18741 417668 18740->18741 18742 41756c 18741->18742 18743 41867f __decode_pointer 7 API calls 18742->18743 18744 417580 18743->18744 18745 41867f __decode_pointer 7 API calls 18744->18745 18746 417590 18745->18746 18757 417613 18746->18757 18765 41aea7 18746->18765 18748 418604 __encode_pointer 7 API calls 18750 417608 18748->18750 18749 4175ae 18751 4175c9 18749->18751 18752 4175d8 18749->18752 18761 4175fa 18749->18761 18754 418604 __encode_pointer 7 API calls 18750->18754 18778 41ae59 18751->18778 18753 4175d2 18752->18753 18752->18757 18753->18752 18756 41ae59 __realloc_crt 75 API calls 18753->18756 18758 4175ee 18753->18758 18754->18757 18759 4175e8 18756->18759 18762 41768d 18757->18762 18760 418604 __encode_pointer 7 API calls 18758->18760 18759->18757 18759->18758 18760->18761 18761->18748 18827 41aa73 18762->18827 18766 41aeb3 ___BuildCatchObject 18765->18766 18767 41aee0 18766->18767 18768 41aec3 18766->18768 18770 41af21 HeapSize 18767->18770 18772 419ea7 __lock 69 API calls 18767->18772 18769 41ad48 __dosmaperr 69 API calls 18768->18769 18771 41aec8 18769->18771 18773 41aed8 ___BuildCatchObject 18770->18773 18774 41b335 __set_error_mode 7 API calls 18771->18774 18775 41aef0 ___sbh_find_block 18772->18775 18773->18749 18774->18773 18783 41af41 18775->18783 18781 41ae62 18778->18781 18780 41aea1 18780->18753 18781->18780 18782 41ae82 Sleep 18781->18782 18787 41779f 18781->18787 18782->18781 18786 419dcd LeaveCriticalSection 18783->18786 18785 41af1c 18785->18770 18785->18773 18786->18785 18788 4177ab ___BuildCatchObject 18787->18788 18789 4177c0 18788->18789 18790 4177b2 18788->18790 18792 4177d3 18789->18792 18793 4177c7 18789->18793 18791 417414 _malloc 69 API calls 18790->18791 18795 4177ba __dosmaperr ___BuildCatchObject 18791->18795 18800 417945 18792->18800 18802 4177e0 _realloc ___sbh_resize_block ___sbh_find_block 18792->18802 18794 4174de __freebuf 69 API calls 18793->18794 18794->18795 18795->18781 18796 417978 18798 41ada0 __calloc_impl 7 API calls 18796->18798 18797 41794a HeapReAlloc 18797->18795 18797->18800 18801 41797e 18798->18801 18799 419ea7 __lock 69 API calls 18799->18802 18800->18796 18800->18797 18804 41799c 18800->18804 18805 41ada0 __calloc_impl 7 API calls 18800->18805 18807 417992 18800->18807 18803 41ad48 __dosmaperr 69 API calls 18801->18803 18802->18795 18802->18796 18802->18799 18811 41786b HeapAlloc 18802->18811 18812 4178c0 HeapReAlloc 18802->18812 18814 41a6b9 ___sbh_alloc_block 5 API calls 18802->18814 18815 41792b 18802->18815 18816 41ada0 __calloc_impl 7 API calls 18802->18816 18819 41790e 18802->18819 18822 419f0a __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 18802->18822 18823 4178e3 18802->18823 18803->18795 18804->18795 18806 41ad48 __dosmaperr 69 API calls 18804->18806 18805->18800 18808 4179a5 GetLastError 18806->18808 18810 41ad48 __dosmaperr 69 API calls 18807->18810 18808->18795 18821 417913 18810->18821 18811->18802 18812->18802 18813 417918 GetLastError 18813->18795 18814->18802 18815->18795 18817 41ad48 __dosmaperr 69 API calls 18815->18817 18816->18802 18818 417938 18817->18818 18818->18795 18818->18808 18820 41ad48 __dosmaperr 69 API calls 18819->18820 18820->18821 18821->18795 18821->18813 18822->18802 18826 419dcd LeaveCriticalSection 18823->18826 18825 4178ea 18825->18802 18826->18825 18830 419dcd LeaveCriticalSection 18827->18830 18829 417692 18829->18738 18830->18829 18831 41805f 18870 417b6c 18831->18870 18833 41806b GetStartupInfoA 18835 41808e 18833->18835 18871 41a99e HeapCreate 18835->18871 18837 4180de 18873 418abf GetModuleHandleW 18837->18873 18841 4180ef __RTC_Initialize 18907 41be1c 18841->18907 18842 418036 _fast_error_exit 69 API calls 18842->18841 18844 4180fd 18845 418109 GetCommandLineA 18844->18845 18846 41a9fe __amsg_exit 69 API calls 18844->18846 18922 41bce5 18845->18922 18848 418108 18846->18848 18848->18845 18852 41812e 18958 41b9b2 18852->18958 18853 41a9fe __amsg_exit 69 API calls 18853->18852 18856 41813f 18973 41aabd 18856->18973 18857 41a9fe __amsg_exit 69 API calls 18857->18856 18859 418146 18860 418151 18859->18860 18861 41a9fe __amsg_exit 69 API calls 18859->18861 18979 41b953 18860->18979 18861->18860 18866 418180 19268 41ac9a 18866->19268 18869 418185 ___BuildCatchObject 18870->18833 18872 4180d2 18871->18872 18872->18837 19260 418036 18872->19260 18874 418ad3 18873->18874 18875 418ada 18873->18875 18876 41a9ce __crt_waiting_on_module_handle 2 API calls 18874->18876 18877 418c42 18875->18877 18878 418ae4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18875->18878 18880 418ad9 18876->18880 19282 41876b 18877->19282 18883 418b2d TlsAlloc 18878->18883 18880->18875 18882 4180e4 18882->18841 18882->18842 18883->18882 18884 418b7b TlsSetValue 18883->18884 18884->18882 18885 418b8c 18884->18885 19271 41acb8 18885->19271 18888 418604 __encode_pointer 7 API calls 18889 418b9c 18888->18889 18890 418604 __encode_pointer 7 API calls 18889->18890 18891 418bac 18890->18891 18892 418604 __encode_pointer 7 API calls 18891->18892 18893 418bbc 18892->18893 18894 418604 __encode_pointer 7 API calls 18893->18894 18895 418bcc 18894->18895 19278 419d2b 18895->19278 18898 41867f __decode_pointer 7 API calls 18899 418bed 18898->18899 18899->18877 18900 41ae0d __calloc_crt 69 API calls 18899->18900 18901 418c06 18900->18901 18901->18877 18902 41867f __decode_pointer 7 API calls 18901->18902 18903 418c20 18902->18903 18903->18877 18904 418c27 18903->18904 18905 4187a8 __getptd_noexit 69 API calls 18904->18905 18906 418c2f GetCurrentThreadId 18905->18906 18906->18882 19296 417b6c 18907->19296 18909 41be28 GetStartupInfoA 18910 41ae0d __calloc_crt 69 API calls 18909->18910 18918 41be49 18910->18918 18911 41c067 ___BuildCatchObject 18911->18844 18912 41bfe4 GetStdHandle 18917 41bfae 18912->18917 18913 41c049 SetHandleCount 18913->18911 18914 41ae0d __calloc_crt 69 API calls 18914->18918 18915 41bff6 GetFileType 18915->18917 18916 41bf31 18916->18911 18916->18917 18920 41bf5a GetFileType 18916->18920 18921 41d326 __ioinit InitializeCriticalSectionAndSpinCount 18916->18921 18917->18911 18917->18912 18917->18913 18917->18915 18919 41d326 __ioinit InitializeCriticalSectionAndSpinCount 18917->18919 18918->18911 18918->18914 18918->18916 18918->18917 18919->18917 18920->18916 18921->18916 18923 41bd22 18922->18923 18924 41bd03 GetEnvironmentStringsW 18922->18924 18926 41bd0b 18923->18926 18927 41bdbb 18923->18927 18925 41bd17 GetLastError 18924->18925 18924->18926 18925->18923 18929 41bd4d WideCharToMultiByte 18926->18929 18930 41bd3e GetEnvironmentStringsW 18926->18930 18928 41bdc4 GetEnvironmentStrings 18927->18928 18932 418119 18927->18932 18931 41bdd4 18928->18931 18928->18932 18934 41bd81 18929->18934 18935 41bdb0 FreeEnvironmentStringsW 18929->18935 18930->18929 18930->18932 18936 41adc8 __malloc_crt 69 API calls 18931->18936 18947 41bc2a 18932->18947 18937 41adc8 __malloc_crt 69 API calls 18934->18937 18935->18932 18938 41bdee 18936->18938 18939 41bd87 18937->18939 18940 41be01 _realloc 18938->18940 18941 41bdf5 FreeEnvironmentStringsA 18938->18941 18939->18935 18942 41bd8f WideCharToMultiByte 18939->18942 18945 41be0b FreeEnvironmentStringsA 18940->18945 18941->18932 18943 41bda1 18942->18943 18944 41bda9 18942->18944 18946 4174de __freebuf 69 API calls 18943->18946 18944->18935 18945->18932 18946->18944 18948 41bc44 GetModuleFileNameA 18947->18948 18949 41bc3f 18947->18949 18950 41bc6b 18948->18950 19303 41d093 18949->19303 19297 41ba90 18950->19297 18953 418123 18953->18852 18953->18853 18955 41adc8 __malloc_crt 69 API calls 18956 41bcad 18955->18956 18956->18953 18957 41ba90 _parse_cmdline 79 API calls 18956->18957 18957->18953 18959 41b9bb 18958->18959 18963 41b9c0 _strlen 18958->18963 18960 41d093 ___initmbctable 113 API calls 18959->18960 18960->18963 18961 418134 18961->18856 18961->18857 18962 41ae0d __calloc_crt 69 API calls 18968 41b9f5 _strlen 18962->18968 18963->18961 18963->18962 18964 41ba53 18965 4174de __freebuf 69 API calls 18964->18965 18965->18961 18966 41ae0d __calloc_crt 69 API calls 18966->18968 18967 41ba79 18969 4174de __freebuf 69 API calls 18967->18969 18968->18961 18968->18964 18968->18966 18968->18967 18970 41c152 _strcpy_s 69 API calls 18968->18970 18971 41ba3a 18968->18971 18969->18961 18970->18968 18971->18968 18972 41b20d __invoke_watson 10 API calls 18971->18972 18972->18971 18975 41aacb __IsNonwritableInCurrentImage 18973->18975 19714 41d386 18975->19714 18976 41aae9 __initterm_e 18977 417693 __cinit 76 API calls 18976->18977 18978 41ab08 __IsNonwritableInCurrentImage __initterm 18976->18978 18977->18978 18978->18859 18980 41b961 18979->18980 18982 41b966 18979->18982 18981 41d093 ___initmbctable 113 API calls 18980->18981 18981->18982 18983 418157 18982->18983 18984 41f0c9 __wincmdln 79 API calls 18982->18984 18985 413f63 GetVersionExW 18983->18985 18984->18982 18986 413fb2 18985->18986 18987 413fa9 18985->18987 19845 411936 18986->19845 18987->18986 18988 413fd5 CoInitialize 18987->18988 19718 413849 GetVersion 18988->19718 18991 413fe1 _memset 18993 413ff4 GetVersionExW 18991->18993 18992 416b12 __ehhandler$___std_fs_remove@4 5 API calls 18994 413fce 18992->18994 18995 414025 18993->18995 18996 41400f 18993->18996 18994->18866 19257 41ac6e 18994->19257 18998 41403c 18995->18998 19721 413a48 18995->19721 18996->18995 18997 414017 18996->18997 19849 4138be 18997->19849 19001 40320a 70 API calls 18998->19001 19003 414047 19001->19003 19004 40320a 70 API calls 19003->19004 19005 414052 19004->19005 19006 40320a 70 API calls 19005->19006 19007 41405d 19006->19007 19008 40320a 70 API calls 19007->19008 19009 414068 GetCommandLineW 19008->19009 19010 401647 70 API calls 19009->19010 19011 41407a 19010->19011 19731 4088cf 19011->19731 19013 414094 19014 40c825 71 API calls 19013->19014 19015 4140ae 19014->19015 19016 408639 70 API calls 19015->19016 19017 4140b9 19016->19017 19018 40c825 71 API calls 19017->19018 19019 4140d3 19018->19019 19020 408639 70 API calls 19019->19020 19021 4140de 19020->19021 19022 40c825 71 API calls 19021->19022 19023 4140f8 19022->19023 19024 408639 70 API calls 19023->19024 19025 414103 19024->19025 19026 40c825 71 API calls 19025->19026 19027 41411d 19026->19027 19028 408639 70 API calls 19027->19028 19029 414128 19028->19029 19030 40c825 71 API calls 19029->19030 19031 414142 19030->19031 19032 408639 70 API calls 19031->19032 19033 41414d 19032->19033 19034 40c825 71 API calls 19033->19034 19035 414167 19034->19035 19036 408639 70 API calls 19035->19036 19037 414172 19036->19037 19038 40c825 71 API calls 19037->19038 19039 41418c 19038->19039 19040 408639 70 API calls 19039->19040 19041 414197 19040->19041 19042 40c825 71 API calls 19041->19042 19043 4141b1 19042->19043 19044 408639 70 API calls 19043->19044 19045 4141bc 19044->19045 19046 40c825 71 API calls 19045->19046 19047 4141d6 19046->19047 19048 408639 70 API calls 19047->19048 19049 4141e1 19048->19049 19050 408bd0 70 API calls 19049->19050 19051 4141f8 19050->19051 19052 401647 70 API calls 19051->19052 19053 414210 19052->19053 19054 40320a 70 API calls 19053->19054 19056 41421b _wcslen 19054->19056 19141 413fbe 19141->18992 20650 41ab42 19257->20650 19259 41ac7f 19259->18866 19261 418044 19260->19261 19262 418049 19260->19262 19263 4185cb __FF_MSGBANNER 69 API calls 19261->19263 19264 418420 __NMSG_WRITE 69 API calls 19262->19264 19263->19262 19265 418051 19264->19265 19266 41aa52 __mtinitlocknum 3 API calls 19265->19266 19267 41805b 19266->19267 19267->18837 19269 41ab42 _doexit 69 API calls 19268->19269 19270 41aca5 19269->19270 19270->18869 19272 418676 _raise 7 API calls 19271->19272 19273 41acc0 __init_pointers __initp_misc_winsig 19272->19273 19293 419998 19273->19293 19276 418604 __encode_pointer 7 API calls 19277 418b91 19276->19277 19277->18888 19281 419d36 19278->19281 19279 41d326 __ioinit InitializeCriticalSectionAndSpinCount 19279->19281 19280 418bd9 19280->18877 19280->18898 19281->19279 19281->19280 19283 418775 19282->19283 19284 418781 19282->19284 19286 41867f __decode_pointer 7 API calls 19283->19286 19285 418795 TlsFree 19284->19285 19287 4187a3 19284->19287 19285->19287 19286->19284 19288 419d92 DeleteCriticalSection 19287->19288 19289 419daa 19287->19289 19290 4174de __freebuf 69 API calls 19288->19290 19291 419dca 19289->19291 19292 419dbc DeleteCriticalSection 19289->19292 19290->19287 19291->18882 19292->19289 19294 418604 __encode_pointer 7 API calls 19293->19294 19295 4199a2 19294->19295 19295->19276 19296->18909 19299 41baaf 19297->19299 19301 41bb1c 19299->19301 19307 41f0c9 19299->19307 19300 41bc1a 19300->18953 19300->18955 19301->19300 19302 41f0c9 79 API calls __wincmdln 19301->19302 19302->19301 19304 41d09c 19303->19304 19305 41d0a3 19303->19305 19529 41cef9 19304->19529 19305->18948 19310 41f076 19307->19310 19313 41b6f9 19310->19313 19314 41b70c 19313->19314 19320 41b759 19313->19320 19321 418908 19314->19321 19317 41b739 19317->19320 19341 41cbf4 19317->19341 19320->19299 19322 41888f __getptd_noexit 69 API calls 19321->19322 19323 418910 19322->19323 19324 41891d 19323->19324 19325 41a9fe __amsg_exit 69 API calls 19323->19325 19324->19317 19326 41c958 19324->19326 19325->19324 19327 41c964 ___BuildCatchObject 19326->19327 19328 418908 __getptd 69 API calls 19327->19328 19329 41c969 19328->19329 19330 41c997 19329->19330 19332 41c97b 19329->19332 19331 419ea7 __lock 69 API calls 19330->19331 19333 41c99e 19331->19333 19334 418908 __getptd 69 API calls 19332->19334 19357 41c91a 19333->19357 19337 41c980 19334->19337 19339 41c98e ___BuildCatchObject 19337->19339 19340 41a9fe __amsg_exit 69 API calls 19337->19340 19339->19317 19340->19339 19342 41cc00 ___BuildCatchObject 19341->19342 19343 418908 __getptd 69 API calls 19342->19343 19344 41cc05 19343->19344 19345 419ea7 __lock 69 API calls 19344->19345 19346 41cc17 19344->19346 19347 41cc35 19345->19347 19349 41cc25 ___BuildCatchObject 19346->19349 19353 41a9fe __amsg_exit 69 API calls 19346->19353 19348 41cc7e 19347->19348 19350 41cc66 InterlockedIncrement 19347->19350 19351 41cc4c InterlockedDecrement 19347->19351 19525 41cc8f 19348->19525 19349->19320 19350->19348 19351->19350 19354 41cc57 19351->19354 19353->19349 19354->19350 19355 4174de __freebuf 69 API calls 19354->19355 19356 41cc65 19355->19356 19356->19350 19358 41c950 19357->19358 19359 41c91e 19357->19359 19365 41c9c2 19358->19365 19359->19358 19360 41c7f2 ___addlocaleref 8 API calls 19359->19360 19361 41c931 19360->19361 19361->19358 19368 41c881 19361->19368 19524 419dcd LeaveCriticalSection 19365->19524 19367 41c9c9 19367->19337 19369 41c892 InterlockedDecrement 19368->19369 19370 41c915 19368->19370 19371 41c8a7 InterlockedDecrement 19369->19371 19372 41c8aa 19369->19372 19370->19358 19382 41c6a9 19370->19382 19371->19372 19373 41c8b4 InterlockedDecrement 19372->19373 19374 41c8b7 19372->19374 19373->19374 19375 41c8c1 InterlockedDecrement 19374->19375 19376 41c8c4 19374->19376 19375->19376 19377 41c8ce InterlockedDecrement 19376->19377 19379 41c8d1 19376->19379 19377->19379 19378 41c8ea InterlockedDecrement 19378->19379 19379->19378 19380 41c8fa InterlockedDecrement 19379->19380 19381 41c905 InterlockedDecrement 19379->19381 19380->19379 19381->19370 19383 41c6c0 19382->19383 19384 41c72d 19382->19384 19383->19384 19388 41c6f4 19383->19388 19396 4174de __freebuf 69 API calls 19383->19396 19385 41c77a 19384->19385 19386 4174de __freebuf 69 API calls 19384->19386 19400 41c7a1 19385->19400 19436 41f0f7 19385->19436 19387 41c74e 19386->19387 19390 4174de __freebuf 69 API calls 19387->19390 19391 41c715 19388->19391 19399 4174de __freebuf 69 API calls 19388->19399 19393 41c761 19390->19393 19394 4174de __freebuf 69 API calls 19391->19394 19398 4174de __freebuf 69 API calls 19393->19398 19401 41c722 19394->19401 19395 41c7e6 19402 4174de __freebuf 69 API calls 19395->19402 19403 41c6e9 19396->19403 19397 4174de __freebuf 69 API calls 19397->19400 19404 41c76f 19398->19404 19405 41c70a 19399->19405 19400->19395 19406 4174de 69 API calls __freebuf 19400->19406 19407 4174de __freebuf 69 API calls 19401->19407 19408 41c7ec 19402->19408 19412 41f2d1 19403->19412 19410 4174de __freebuf 69 API calls 19404->19410 19428 41f28c 19405->19428 19406->19400 19407->19384 19408->19358 19410->19385 19413 41f35b 19412->19413 19414 41f2de 19412->19414 19413->19388 19415 41f2ef 19414->19415 19416 4174de __freebuf 69 API calls 19414->19416 19417 41f301 19415->19417 19418 4174de __freebuf 69 API calls 19415->19418 19416->19415 19419 41f313 19417->19419 19420 4174de __freebuf 69 API calls 19417->19420 19418->19417 19421 41f325 19419->19421 19422 4174de __freebuf 69 API calls 19419->19422 19420->19419 19423 41f337 19421->19423 19424 4174de __freebuf 69 API calls 19421->19424 19422->19421 19425 41f349 19423->19425 19426 4174de __freebuf 69 API calls 19423->19426 19424->19423 19425->19413 19427 4174de __freebuf 69 API calls 19425->19427 19426->19425 19427->19413 19429 41f299 19428->19429 19435 41f2cd 19428->19435 19430 4174de __freebuf 69 API calls 19429->19430 19431 41f2a9 19429->19431 19430->19431 19432 41f2bb 19431->19432 19433 4174de __freebuf 69 API calls 19431->19433 19434 4174de __freebuf 69 API calls 19432->19434 19432->19435 19433->19432 19434->19435 19435->19391 19437 41f108 19436->19437 19523 41c79a 19436->19523 19438 4174de __freebuf 69 API calls 19437->19438 19439 41f110 19438->19439 19440 4174de __freebuf 69 API calls 19439->19440 19441 41f118 19440->19441 19442 4174de __freebuf 69 API calls 19441->19442 19443 41f120 19442->19443 19444 4174de __freebuf 69 API calls 19443->19444 19445 41f128 19444->19445 19446 4174de __freebuf 69 API calls 19445->19446 19447 41f130 19446->19447 19448 4174de __freebuf 69 API calls 19447->19448 19449 41f138 19448->19449 19450 4174de __freebuf 69 API calls 19449->19450 19451 41f13f 19450->19451 19452 4174de __freebuf 69 API calls 19451->19452 19453 41f147 19452->19453 19454 4174de __freebuf 69 API calls 19453->19454 19455 41f14f 19454->19455 19456 4174de __freebuf 69 API calls 19455->19456 19457 41f157 19456->19457 19458 4174de __freebuf 69 API calls 19457->19458 19459 41f15f 19458->19459 19460 4174de __freebuf 69 API calls 19459->19460 19461 41f167 19460->19461 19462 4174de __freebuf 69 API calls 19461->19462 19463 41f16f 19462->19463 19464 4174de __freebuf 69 API calls 19463->19464 19465 41f177 19464->19465 19466 4174de __freebuf 69 API calls 19465->19466 19467 41f17f 19466->19467 19468 4174de __freebuf 69 API calls 19467->19468 19469 41f187 19468->19469 19470 4174de __freebuf 69 API calls 19469->19470 19471 41f192 19470->19471 19472 4174de __freebuf 69 API calls 19471->19472 19473 41f19a 19472->19473 19474 4174de __freebuf 69 API calls 19473->19474 19475 41f1a2 19474->19475 19476 4174de __freebuf 69 API calls 19475->19476 19477 41f1aa 19476->19477 19478 4174de __freebuf 69 API calls 19477->19478 19479 41f1b2 19478->19479 19480 4174de __freebuf 69 API calls 19479->19480 19481 41f1ba 19480->19481 19482 4174de __freebuf 69 API calls 19481->19482 19483 41f1c2 19482->19483 19484 4174de __freebuf 69 API calls 19483->19484 19485 41f1ca 19484->19485 19486 4174de __freebuf 69 API calls 19485->19486 19487 41f1d2 19486->19487 19488 4174de __freebuf 69 API calls 19487->19488 19489 41f1da 19488->19489 19490 4174de __freebuf 69 API calls 19489->19490 19491 41f1e2 19490->19491 19492 4174de __freebuf 69 API calls 19491->19492 19493 41f1ea 19492->19493 19494 4174de __freebuf 69 API calls 19493->19494 19495 41f1f2 19494->19495 19496 4174de __freebuf 69 API calls 19495->19496 19523->19397 19524->19367 19528 419dcd LeaveCriticalSection 19525->19528 19527 41cc96 19527->19346 19528->19527 19530 41cf05 ___BuildCatchObject 19529->19530 19531 418908 __getptd 69 API calls 19530->19531 19532 41cf0e 19531->19532 19533 41cbf4 __setmbcp 71 API calls 19532->19533 19534 41cf18 19533->19534 19560 41cc98 19534->19560 19537 41adc8 __malloc_crt 69 API calls 19538 41cf39 19537->19538 19539 41d058 ___BuildCatchObject 19538->19539 19567 41cd14 19538->19567 19539->19305 19542 41d065 19542->19539 19547 41d078 19542->19547 19548 4174de __freebuf 69 API calls 19542->19548 19543 41cf69 InterlockedDecrement 19544 41cf79 19543->19544 19545 41cf8a InterlockedIncrement 19543->19545 19544->19545 19550 4174de __freebuf 69 API calls 19544->19550 19545->19539 19546 41cfa0 19545->19546 19546->19539 19552 419ea7 __lock 69 API calls 19546->19552 19549 41ad48 __dosmaperr 69 API calls 19547->19549 19548->19547 19549->19539 19551 41cf89 19550->19551 19551->19545 19554 41cfb4 InterlockedDecrement 19552->19554 19555 41d030 19554->19555 19556 41d043 InterlockedIncrement 19554->19556 19555->19556 19558 4174de __freebuf 69 API calls 19555->19558 19577 41d05a 19556->19577 19559 41d042 19558->19559 19559->19556 19561 41b6f9 _LocaleUpdate::_LocaleUpdate 79 API calls 19560->19561 19562 41ccac 19561->19562 19563 41ccd5 19562->19563 19564 41ccb7 GetOEMCP 19562->19564 19565 41ccda GetACP 19563->19565 19566 41ccc7 19563->19566 19564->19566 19565->19566 19566->19537 19566->19539 19568 41cc98 getSystemCP 81 API calls 19567->19568 19569 41cd34 19568->19569 19570 41cd3f setSBCS 19569->19570 19573 41cda8 _memset __setmbcp_nolock 19569->19573 19574 41cd83 IsValidCodePage 19569->19574 19571 416b12 __ehhandler$___std_fs_remove@4 5 API calls 19570->19571 19572 41cef7 19571->19572 19572->19542 19572->19543 19580 41ca61 GetCPInfo 19573->19580 19574->19570 19575 41cd95 GetCPInfo 19574->19575 19575->19570 19575->19573 19713 419dcd LeaveCriticalSection 19577->19713 19579 41d061 19579->19539 19581 41cb47 19580->19581 19583 41ca95 _memset 19580->19583 19585 416b12 __ehhandler$___std_fs_remove@4 5 API calls 19581->19585 19590 41f560 19583->19590 19587 41cbf2 19585->19587 19587->19573 19589 41f995 ___crtLCMapStringA 104 API calls 19589->19581 19591 41b6f9 _LocaleUpdate::_LocaleUpdate 79 API calls 19590->19591 19592 41f573 19591->19592 19600 41f3a6 19592->19600 19595 41f995 19596 41b6f9 _LocaleUpdate::_LocaleUpdate 79 API calls 19595->19596 19597 41f9a8 19596->19597 19666 41f5f0 19597->19666 19601 41f3f2 19600->19601 19602 41f3c7 GetStringTypeW 19600->19602 19603 41f4d9 19601->19603 19605 41f3df 19601->19605 19604 41f3e7 GetLastError 19602->19604 19602->19605 19628 4204e7 GetLocaleInfoA 19603->19628 19604->19601 19606 41f42b MultiByteToWideChar 19605->19606 19608 41f4d3 19605->19608 19606->19608 19613 41f458 19606->19613 19609 416b12 __ehhandler$___std_fs_remove@4 5 API calls 19608->19609 19611 41cb02 19609->19611 19611->19595 19612 41f52a GetStringTypeA 19612->19608 19617 41f545 19612->19617 19614 417414 _malloc 69 API calls 19613->19614 19618 41f46d _memset __crtGetStringTypeA_stat 19613->19618 19614->19618 19616 41f4a6 MultiByteToWideChar 19620 41f4cd 19616->19620 19621 41f4bc GetStringTypeW 19616->19621 19622 4174de __freebuf 69 API calls 19617->19622 19618->19608 19618->19616 19624 41d0b1 19620->19624 19621->19620 19622->19608 19625 41d0bd 19624->19625 19626 41d0ce 19624->19626 19625->19626 19627 4174de __freebuf 69 API calls 19625->19627 19626->19608 19627->19626 19629 420515 19628->19629 19630 42051a 19628->19630 19632 416b12 __ehhandler$___std_fs_remove@4 5 API calls 19629->19632 19659 41f0e1 19630->19659 19633 41f4fd 19632->19633 19633->19608 19633->19612 19634 420530 19633->19634 19635 420570 GetCPInfo 19634->19635 19636 4205fa 19634->19636 19637 420587 19635->19637 19638 4205e5 MultiByteToWideChar 19635->19638 19639 416b12 __ehhandler$___std_fs_remove@4 5 API calls 19636->19639 19637->19638 19640 42058d GetCPInfo 19637->19640 19638->19636 19643 4205a0 _strlen 19638->19643 19641 41f51e 19639->19641 19640->19638 19642 42059a 19640->19642 19641->19608 19641->19612 19642->19638 19642->19643 19644 417414 _malloc 69 API calls 19643->19644 19648 4205d2 _memset __crtGetStringTypeA_stat 19643->19648 19644->19648 19645 42062f MultiByteToWideChar 19646 420666 19645->19646 19647 420647 19645->19647 19649 41d0b1 __freea 69 API calls 19646->19649 19650 42066b 19647->19650 19651 42064e WideCharToMultiByte 19647->19651 19648->19636 19648->19645 19649->19636 19652 420676 WideCharToMultiByte 19650->19652 19653 42068a 19650->19653 19651->19646 19652->19646 19652->19653 19654 41ae0d __calloc_crt 69 API calls 19653->19654 19655 420692 19654->19655 19655->19646 19656 42069b WideCharToMultiByte 19655->19656 19656->19646 19657 4206ad 19656->19657 19658 4174de __freebuf 69 API calls 19657->19658 19658->19646 19662 4204bc 19659->19662 19663 4204d5 19662->19663 19664 42028d strtoxl 93 API calls 19663->19664 19665 41f0f2 19664->19665 19665->19629 19667 41f611 LCMapStringW 19666->19667 19671 41f62c 19666->19671 19668 41f634 GetLastError 19667->19668 19667->19671 19668->19671 19669 41f82a 19673 4204e7 ___ansicp 93 API calls 19669->19673 19670 41f686 19672 41f69f MultiByteToWideChar 19670->19672 19689 41f821 19670->19689 19671->19669 19671->19670 19681 41f6cc 19672->19681 19672->19689 19675 41f852 19673->19675 19674 416b12 __ehhandler$___std_fs_remove@4 5 API calls 19676 41cb22 19674->19676 19677 41f946 LCMapStringA 19675->19677 19678 41f86b 19675->19678 19675->19689 19676->19589 19682 41f8a2 19677->19682 19679 420530 ___convertcp 76 API calls 19678->19679 19685 41f87d 19679->19685 19680 41f71d MultiByteToWideChar 19686 41f736 LCMapStringW 19680->19686 19687 41f818 19680->19687 19684 417414 _malloc 69 API calls 19681->19684 19693 41f6e5 __crtGetStringTypeA_stat 19681->19693 19683 41f96d 19682->19683 19688 4174de __freebuf 69 API calls 19682->19688 19683->19689 19695 4174de __freebuf 69 API calls 19683->19695 19684->19693 19685->19689 19690 41f887 LCMapStringA 19685->19690 19686->19687 19692 41f757 19686->19692 19691 41d0b1 __freea 69 API calls 19687->19691 19688->19683 19689->19674 19690->19682 19698 41f8a9 19690->19698 19691->19689 19694 41f760 19692->19694 19697 41f789 19692->19697 19693->19680 19693->19689 19694->19687 19696 41f772 LCMapStringW 19694->19696 19695->19689 19696->19687 19700 41f7a4 __crtGetStringTypeA_stat 19697->19700 19702 417414 _malloc 69 API calls 19697->19702 19701 41f8ba _memset __crtGetStringTypeA_stat 19698->19701 19703 417414 _malloc 69 API calls 19698->19703 19699 41f7d8 LCMapStringW 19704 41f7f0 WideCharToMultiByte 19699->19704 19705 41f812 19699->19705 19700->19687 19700->19699 19701->19682 19707 41f8f8 LCMapStringA 19701->19707 19702->19700 19703->19701 19704->19705 19706 41d0b1 __freea 69 API calls 19705->19706 19706->19687 19709 41f914 19707->19709 19710 41f918 19707->19710 19712 41d0b1 __freea 69 API calls 19709->19712 19711 420530 ___convertcp 76 API calls 19710->19711 19711->19709 19712->19682 19713->19579 19715 41d38c 19714->19715 19716 418604 __encode_pointer 7 API calls 19715->19716 19717 41d3a4 19715->19717 19716->19715 19717->18976 19719 41387f 19718->19719 19720 41385c CoCreateInstance 19718->19720 19719->18991 19720->19719 19722 417d60 _memset 19721->19722 19723 413a7d GetModuleFileNameW 19722->19723 19724 413aa7 _memset 19723->19724 19725 417f66 69 API calls 19724->19725 19726 413abe _wcsrchr 19725->19726 19917 417ecb 19726->19917 19729 416b12 __ehhandler$___std_fs_remove@4 5 API calls 19730 413b34 19729->19730 19730->18998 19735 4088db __EH_prolog3 19731->19735 19732 408935 19734 408826 70 API calls 19732->19734 19733 408670 70 API calls 19733->19735 19736 408944 19734->19736 19735->19732 19735->19733 19738 408933 ~_Task_impl 19735->19738 19737 408639 70 API calls 19736->19737 19737->19738 19738->19013 19846 40c825 71 API calls 19845->19846 19847 411947 MessageBoxW 19846->19847 19848 411963 19847->19848 19848->19141 19850 4138d0 _memset __write_nolock 19849->19850 19851 4138f1 GetModuleFileNameW RegCreateKeyExW RegSetValueExW RegCloseKey 19850->19851 19852 416b12 __ehhandler$___std_fs_remove@4 5 API calls 19851->19852 19853 413956 19852->19853 19853->18995 19918 417ee3 19917->19918 19920 417edc 19917->19920 19919 41ad48 __dosmaperr 69 API calls 19918->19919 19925 417ee8 19919->19925 19920->19918 19922 417f1f 19920->19922 19921 41b335 __set_error_mode 7 API calls 19923 413ad9 RegCreateKeyExW RegSetValueExW RegCloseKey 19921->19923 19922->19923 19924 41ad48 __dosmaperr 69 API calls 19922->19924 19923->19729 19924->19925 19925->19921 20651 41ab4e ___BuildCatchObject 20650->20651 20652 419ea7 __lock 69 API calls 20651->20652 20653 41ab55 20652->20653 20655 41867f __decode_pointer 7 API calls 20653->20655 20656 41ac0e __initterm 20653->20656 20657 41ab8c 20655->20657 20667 41ac59 20656->20667 20657->20656 20661 41867f __decode_pointer 7 API calls 20657->20661 20659 41ac56 ___BuildCatchObject 20659->19259 20666 41aba1 20661->20666 20662 41ac4d 20663 41aa52 __mtinitlocknum 3 API calls 20662->20663 20663->20659 20664 418676 7 API calls _raise 20664->20666 20665 41867f 7 API calls __decode_pointer 20665->20666 20666->20656 20666->20664 20666->20665 20668 41ac3a 20667->20668 20669 41ac5f 20667->20669 20668->20659 20671 419dcd LeaveCriticalSection 20668->20671 20672 419dcd LeaveCriticalSection 20669->20672 20671->20662 20672->20668

                                                            Executed Functions

                                                            Function 00413F63, Relevance: 71.0, APIs: 21, Strings: 19, Instructions: 1027windowprocesssynchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 413f63-413fa7 GetVersionExW 1 413fb2-413fb9 call 411936 0->1 2 413fa9-413fb0 0->2 5 413fbe-413fc0 1->5 2->1 3 413fd5-41400d CoInitialize call 413849 call 417d60 GetVersionExW 2->3 13 414035 3->13 14 41400f-414015 3->14 7 413fc1-413fd2 call 416b12 5->7 17 414037 call 413a48 13->17 18 41403c-414238 call 40320a * 4 GetCommandLineW call 401647 call 4088cf call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 40c825 call 408639 call 408bfb call 408bd0 call 401647 call 40320a call 417fd5 13->18 15 414025-41402c 14->15 16 414017-414023 call 4138be 14->16 15->17 20 41402e 15->20 16->13 16->15 17->18 99 414243-41425a call 417fd5 18->99 100 41423a-414241 18->100 20->13 99->100 106 41425c-414273 call 417fd5 99->106 101 41428e-41429a call 417dda 100->101 107 4142bd-4142c3 101->107 108 41429c-4142a9 101->108 106->101 117 414275-41428c call 417fd5 106->117 112 4142c5-4142ea call 417f66 call 4090ca 107->112 113 4142ef-414303 call 417fd5 107->113 110 4142b2 108->110 111 4142ab-4142b0 108->111 115 4142b7-4142b8 call 413c44 110->115 111->115 112->113 124 414305-414319 call 417fd5 113->124 125 41434d 113->125 115->107 117->101 117->107 124->125 131 41431b-41432f call 417fd5 124->131 128 414354-4143ce call 40320a call 409101 call 40898e call 408968 call 401647 call 408730 call 4089e5 125->128 150 4143d0-414411 call 401647 call 408730 call 4089e5 128->150 151 414413 128->151 131->125 138 414331-41434b call 417fd5 131->138 138->125 138->128 150->151 152 41441a-414421 150->152 151->152 154 414423-414435 call 408bfb 152->154 155 414436-41443d 152->155 154->155 158 414452-414459 155->158 159 41443f-414451 call 408bfb 155->159 163 41445b-41446d call 408bfb 158->163 164 41446e-414475 158->164 159->158 163->164 168 414483-414489 164->168 169 414477-414482 call 408bfb 164->169 173 4144d4-4144fd call 408c69 call 413ce0 168->173 174 41448b-4144cf call 408826 call 408639 call 408bfb call 40898e call 408968 168->174 169->168 185 414573-4145a1 call 401647 call 40320a 173->185 186 4144ff-414505 173->186 174->173 203 414915-414939 call 40320a call 4113e5 185->203 204 4145a7-4145e2 call 408e31 185->204 188 414513-41456e call 408bfb * 8 186->188 189 414507-41450e call 411936 186->189 188->5 189->188 221 414962-41496c call 408bd0 203->221 222 41493b-414941 203->222 212 414682-414739 call 401647 call 408df4 call 408bfb call 401647 call 408df4 call 408bfb call 401647 call 408df4 call 408bfb call 4089e5 204->212 213 4145e8-4145ee 204->213 312 414741-414774 call 401647 call 408dbe call 408bfb 212->312 313 41473b 212->313 218 4145f0-4145f7 call 411936 213->218 219 4145fc-41467d call 413b6d call 408bfb * 10 213->219 218->219 219->7 241 414979 221->241 242 41496e-414977 call 413ea3 221->242 226 414943-41494a call 411936 222->226 227 41494f-41495c call 413a1f 222->227 226->227 227->221 248 41497b-414990 call 40222c call 4118a7 241->248 242->248 266 414992-414998 248->266 267 4149b8-414a16 call 404082 call 40320a call 4135e5 248->267 270 4149a6-4149ae 266->270 271 41499a-4149a1 call 411936 266->271 292 414afc-414b23 call 408bfb call 413e7b SetCurrentDirectoryW 267->292 293 414a1c-414a22 267->293 270->227 276 4149b0-4149b6 270->276 271->270 276->227 321 414b35-414b3b 292->321 322 414b25-414b33 SetCurrentDirectoryW 292->322 297 414a28-414a2b 293->297 298 414adf 293->298 302 414a35-414a5b call 40c825 call 408639 call 408bfb 297->302 303 414a2d-414a33 297->303 305 414ae5-414af6 call 408bfb * 2 298->305 308 414a60-414a66 302->308 303->302 303->308 305->292 308->298 317 414a68-414a77 308->317 356 414776-414789 call 408639 312->356 357 41478e-414794 312->357 313->312 325 414a90-414ace call 40c825 call 41397a MessageBoxW call 413802 317->325 326 414a79-414a8e call 40c825 MessageBoxW 317->326 330 414b41-414b85 call 404082 321->330 331 414c35-414c3b 321->331 322->305 342 414ad3-414ade call 408bfb 325->342 326->342 353 414b87-414b94 call 408fde 330->353 354 414b99-414beb call 404082 ShellExecuteExW 330->354 340 414c79-414c98 call 40320a call 410d94 331->340 341 414c3d-414c5a call 4090ca call 409421 331->341 375 414cd5-414ce9 call 417fd5 340->375 376 414c9a-414cd4 call 40320a call 410d94 call 408639 call 408bfb 340->376 341->340 372 414c5c-414c62 341->372 342->298 353->354 370 414c19-414c30 call 408bfb 354->370 371 414bed-414bf3 354->371 356->357 366 414796-41479c 357->366 367 4147df-414910 call 401647 call 408df4 call 408639 call 408bfb * 2 call 401647 call 408df4 call 408639 call 408bfb * 2 call 401647 call 408df4 call 4096a4 call 408639 call 408bfb * 6 call 413b6d 357->367 366->367 374 41479e-4147b2 MessageBoxW 366->374 367->203 398 414f32-414f3b call 408bfb 370->398 377 414c01-414c14 call 408bfb * 2 371->377 378 414bf5-414bfc call 411936 371->378 372->322 379 414c68-414c74 call 411936 372->379 374->367 383 4147b4-4147d8 call 408bfb * 3 374->383 396 414ceb-414d5a call 408639 call 4099df call 401647 * 2 call 40c8c5 call 408bfb * 2 375->396 397 414d5c-414d62 375->397 376->375 377->322 378->377 379->322 383->367 402 414d70-414d76 396->402 397->402 403 414d64-414d6b call 4099df 397->403 422 414fa3-414fcb SetCurrentDirectoryW call 408bfb * 2 398->422 423 414f3d-414f89 WaitForSingleObject GetExitCodeProcess CloseHandle SetCurrentDirectoryW call 408bfb * 2 398->423 413 414d97-414ee9 call 4096a4 call 401647 * 3 call 4096a4 * 5 call 408bfb * 8 CreateProcessW 402->413 414 414d78-414d92 call 408670 call 408fde 402->414 403->402 524 414eeb-414ef1 413->524 525 414f0f-414f2c CloseHandle call 408bfb 413->525 414->413 454 414fd3-414fde call 413a1f 422->454 455 414fcd-414fcf 422->455 451 414f91-414f97 call 413a1f 423->451 452 414f8b-414f8d 423->452 467 414f9c 451->467 452->451 455->454 467->422 527 414ef3-414ef4 call 4119f6 524->527 528 414ef9-414f04 call 408bfb 524->528 525->398 527->528 528->525
                                                            C-Code - Quality: 71%
                                                            			E00413F63(void* __ecx, char* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t361;
				void* _t368;
				intOrPtr _t370;
				intOrPtr _t422;
				signed int _t428;
				signed int _t429;
				signed int _t439;
				signed int _t442;
				signed int _t447;
				signed int _t449;
				signed int _t461;
				signed int _t464;
				signed int _t465;
				void* _t470;
				signed int _t496;
				signed int _t503;
				signed int _t523;
				signed int _t531;
				signed int _t558;
				WCHAR** _t579;
				signed int _t592;
				signed int _t611;
				signed int _t615;
				signed int _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				void* _t694;
				void* _t695;
				void* _t703;
				void* _t705;
				void* _t707;
				void* _t709;
				void* _t711;
				void* _t713;
				void* _t715;
				void* _t717;
				void* _t719;
				void* _t834;
				signed int _t835;
				void* _t839;
				void* _t842;
				void* _t844;
				signed int _t847;
				void* _t849;
				void* _t850;
				char** _t852;

				_t831 = __edx;
				_t695 = __ecx;
				_t847 = _t849 - 0x68;
				_t850 = _t849 - 0x318;
				_t361 =  *0x42d330; // 0x6d29bea0
				 *(_t847 + 0x64) = _t361 ^ _t847;
				 *(_t847 - 0xb8) = 0;
				_t833 = GetVersionExW;
				 *0x43063c =  *((intOrPtr*)(_t847 + 0x70));
				 *(_t847 - 0xb0) = 0x114;
				if(GetVersionExW(_t847 - 0xb0) == 0 ||  *((intOrPtr*)(_t847 - 0xa0)) != 2) {
					E00411936(0, _t695, _t833, 0x114, 0,  *0x430680);
					L3:
					_t368 = 1;
					goto L4;
				} else {
					__imp__CoInitialize(0); // executed
					_t370 = E00413849(); // executed
					 *0x430640 = _t370;
					E00417D60(GetVersionExW, _t847 - 0xb0, 0, 0x114);
					_t852 = _t850 + 0xc;
					 *(_t847 - 0xb0) = 0x114;
					GetVersionExW(_t847 - 0xb0);
					__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
					if(__eflags != 0) {
						L10:
						if(__eflags <= 0) {
							L12:
							E0040320A(_t847 - 0x1e4);
							E0040320A(_t847 - 0xdc);
							E0040320A(_t847 - 0x1a8);
							E0040320A(_t847 - 0x19c);
							E00401647(_t847 - 0xd0, _t847, GetCommandLineW());
							_push(_t847 - 0xdc);
							_push(_t847 - 0x1e4);
							_push(_t847 - 0xd0);
							E004088CF(0, _t833, 0x114, __eflags);
							_push( *(_t847 - 0xd0));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t703);
							E00408639(0x430644, _t847, E0040C825(_t703, _t847 - 0xc4, 0x11));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t705);
							E00408639(0x430650, _t847, E0040C825(_t705, _t847 - 0xc4, 0x12));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t707);
							E00408639(0x43065c, _t847, E0040C825(_t707, _t847 - 0xc4, 0x16));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t709);
							E00408639(0x430668, _t847, E0040C825(_t709, _t847 - 0xc4, 0x17));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t711);
							E00408639(0x430674, _t847, E0040C825(_t711, _t847 - 0xc4, 0xf));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t713);
							E00408639(0x430698, _t847, E0040C825(_t713, _t847 - 0xc4, 0xc));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t715);
							E00408639(0x4306a4, _t847, E0040C825(_t715, _t847 - 0xc4, 0x18));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t717);
							E00408639(0x430680, _t847, E0040C825(_t717, _t847 - 0xc4, 0x10));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t719);
							E00408639(0x43068c, _t847, E0040C825(_t719, _t847 - 0xc4, 0x10));
							L00408BFB(0, _t833, 0x114, __eflags);
							 *_t852 = 0x2000; // executed
							_t422 = E00408BD0(0, _t833, __eflags,  *((intOrPtr*)(_t847 - 0xc4))); // executed
							 *((intOrPtr*)(_t847 - 0xe0)) = _t422;
							 *_t852 = 0x423a68;
							E00401647(_t847 - 0x174, _t847);
							E0040320A(_t847 - 0x180);
							_t840 = L"\"-k=";
							 *(_t847 - 0xb1) = 0;
							_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"\"-k=");
							__eflags = _t835;
							if(_t835 == 0) {
								_t840 = L"\"/k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"\"/k=");
								__eflags = _t835;
								if(_t835 != 0) {
									goto L13;
								}
								_t840 = L"-k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-k=");
								__eflags = _t835;
								if(_t835 != 0) {
									L17:
									_t428 = _t835 + E00417DDA(_t840) * 2;
									__eflags = _t428;
									if(_t428 != 0) {
										_push(_t847 - 0x174);
										__eflags =  *(_t847 - 0xb1);
										if(__eflags == 0) {
											_push(L" \t\n");
										} else {
											_push(L"\"\t\n");
										}
										_push(_t428);
										E00413C44(0, _t831, _t835, _t840, __eflags);
									}
									L22:
									__eflags =  *(_t847 - 0x170);
									if( *(_t847 - 0x170) != 0) {
										E00417F66( *((intOrPtr*)(_t847 - 0xe0)), 0x1000,  *((intOrPtr*)(_t847 - 0x174)));
										_t852 =  &(_t852[3]);
										E004090CA(_t847 - 0x180, _t847,  *((intOrPtr*)(_t847 - 0xe0)));
									}
									_t429 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-s");
									__eflags = _t429;
									if(_t429 != 0) {
										L28:
										 *((char*)(_t847 - 0xe0)) = 1;
										L29:
										E0040320A(_t847 - 0x15c);
										E00409101(0, _t835,  *0x43063c, _t847 - 0x15c);
										E0040898E(0, _t847 - 0xdc, _t831, _t835);
										E00408968(0, _t847 - 0xdc, _t831, _t835);
										 *(_t847 - 0xb1) =  *((intOrPtr*)(_t847 - 0xe0));
										 *(_t847 - 0xb8) = 3;
										_t841 = E00401647(_t847 - 0x1b4, _t847, L"-y");
										_t439 = E004089E5(_t847 - 0xdc,  *((intOrPtr*)(E00408730(_t847 - 0xdc, _t847 - 0xfc, 2))),  *_t436);
										__eflags = _t439;
										if(_t439 == 0) {
											L31:
											 *(_t847 - 0xb2) = 1;
											L32:
											__eflags =  *(_t847 - 0xb8) & 0x00000008;
											if(( *(_t847 - 0xb8) & 0x00000008) != 0) {
												_push( *((intOrPtr*)(_t847 - 0xc4)));
												_t88 = _t847 - 0xb8;
												 *_t88 =  *(_t847 - 0xb8) & 0xfffffff7;
												__eflags =  *_t88;
												L00408BFB(0, _t835, _t841,  *_t88);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000004;
											if(( *(_t847 - 0xb8) & 0x00000004) != 0) {
												_push( *(_t847 - 0xd0));
												_t94 = _t847 - 0xb8;
												 *_t94 =  *(_t847 - 0xb8) & 0xfffffffb;
												__eflags =  *_t94;
												L00408BFB(0, _t835, _t841,  *_t94);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000002;
											if(( *(_t847 - 0xb8) & 0x00000002) != 0) {
												_push( *((intOrPtr*)(_t847 - 0xfc)));
												_t100 = _t847 - 0xb8;
												 *_t100 =  *(_t847 - 0xb8) & 0xfffffffd;
												__eflags =  *_t100;
												L00408BFB(0, _t835, _t841,  *_t100);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000001;
											if(__eflags != 0) {
												_push( *(_t847 - 0x1b4));
												L00408BFB(0, _t835, _t841, __eflags);
											}
											__eflags =  *(_t847 - 0xb2);
											if( *(_t847 - 0xb2) != 0) {
												 *(_t847 - 0xb1) = 1;
												E00408639(_t847 - 0xdc, _t847, E00408826(_t847 - 0xdc, _t847 - 0xc4, 2));
												_push( *((intOrPtr*)(_t847 - 0xc4)));
												L00408BFB(0, _t835, _t841, __eflags);
												E0040898E(0, _t847 - 0xdc, _t831, _t835);
												E00408968(0, _t847 - 0xdc, _t831, _t835);
											}
											E00408C69(_t847 - 0x1c0);
											_t736 =  *((intOrPtr*)(_t847 - 0x15c));
											_push(_t847 - 0x1c0);
											_push(";!@InstallEnd@!");
											_t831 = ";!@Install@!UTF-8!";
											_t442 = E00413CE0( *((intOrPtr*)(_t847 - 0x15c)), ";!@Install@!UTF-8!");
											__eflags = _t442;
											if(_t442 != 0) {
												E00401647(_t847 - 0x150, _t847, L".\\");
												_t738 = _t847 - 0x118;
												E0040320A(_t847 - 0x118);
												_t836 = MessageBoxW;
												 *(_t847 - 0xe4) = 1;
												__eflags =  *(_t847 - 0x1bc);
												if(__eflags == 0) {
													L62:
													 *((char*)(_t847 - 0x10c)) = 0;
													E0040320A(_t847 - 0x108);
													_t740 = _t847 - 0x10c;
													__eflags = E004113E5(0, _t847 - 0x10c, _t831, _t836, _t847,  *0x42d24c);
													if(__eflags != 0) {
														_t447 = E00408BD0(0, _t836, __eflags, 0x1c);
														__eflags = _t447;
														if(_t447 == 0) {
															_t842 = 0;
															__eflags = 0;
														} else {
															_t842 = E00413EA3(_t447);
														}
														E0040222C(_t847 - 0xb8, _t842);
														_t743 = _t842;
														_t449 = E004118A7(0, _t842, _t831, _t836, _t842, __eflags);
														__eflags = _t449;
														if(_t449 == 0) {
															E00404082(_t847 - 0x130, _t847, _t847 - 0x108);
															_t745 = _t847 - 0x168;
															 *(_t847 - 0xb2) = 0;
															E0040320A(_t847 - 0x168);
															_push( *((intOrPtr*)(_t847 - 0xe0)));
															_push(_t847 - 0x180);
															_push(1);
															_push(_t847 - 0x168);
															_push(_t847 - 0xb2);
															_push( *(_t847 - 0xe4));
															_push(_t847 - 0x130);
															_push(_t847 - 0x15c);
															_push(_t842);
															_t843 = E004135E5(0, _t831, _t836, _t842, __eflags);
															__eflags = _t843;
															if(__eflags == 0) {
																_push( *(_t847 - 0x168));
																L00408BFB(0, _t836, _t843, __eflags);
																E00413E7B(0, _t847 - 0xf0, _t836, _t843, __eflags);
																_t843 = SetCurrentDirectoryW; // executed
																_t461 = SetCurrentDirectoryW( *(_t847 - 0x108)); // executed
																__eflags = _t461;
																if(__eflags != 0) {
																	__eflags =  *(_t847 - 0x1a4);
																	if( *(_t847 - 0x1a4) == 0) {
																		__eflags =  *(_t847 - 0x114);
																		if( *(_t847 - 0x114) != 0) {
																			L101:
																			E0040320A(_t847 - 0x124);
																			_push(_t847 - 0x124);
																			_t464 = E00410D94( *((intOrPtr*)(_t847 - 0x15c)));
																			__eflags = _t464;
																			if(_t464 == 0) {
																				E0040320A(_t847 - 0xfc);
																				_push(_t847 - 0xfc);
																				E00410D94( *((intOrPtr*)(_t847 - 0x15c)));
																				E00408639(_t847 - 0x124, _t847, _t847 - 0xfc);
																				_push( *((intOrPtr*)(_t847 - 0xfc)));
																				L00408BFB(0, _t836, _t843, __eflags);
																			}
																			_t465 = E00417FD5( *((intOrPtr*)(_t847 - 0x118)), L"%%T");
																			__eflags = _t465;
																			if(_t465 == 0) {
																				__eflags =  *(_t847 - 0x14c);
																				if( *(_t847 - 0x14c) != 0) {
																					E004099DF(_t847 - 0x150);
																				}
																			} else {
																				E00408639(_t847 - 0x150, _t847, _t847 - 0x130);
																				E004099DF(_t847 - 0x150);
																				E00401647(_t847 - 0xc4, _t847, 0x423a68);
																				E00401647(_t847 - 0xfc, _t847, L"%%T\\");
																				E0040C8C5(_t847 - 0x118, _t847 - 0xfc, _t847 - 0xc4);
																				_push( *((intOrPtr*)(_t847 - 0xfc)));
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *((intOrPtr*)(_t847 - 0xc4)));
																				L00408BFB(0, _t836, _t843, __eflags);
																			}
																			__eflags =  *(_t847 - 0xd8);
																			if(__eflags != 0) {
																				E00408670(_t847 - 0x118, _t831, __eflags, 0x20);
																				E00408FDE(_t847 - 0x118, __eflags, _t847 - 0xdc);
																			}
																			 *((short*)(_t847 - 0x27e)) = 0;
																			_push(_t847 - 0x118);
																			_push(_t847 - 0x150);
																			_push(_t847 - 0x26c);
																			 *(_t847 - 0x2b0) = 0x44;
																			 *((intOrPtr*)(_t847 - 0x2ac)) = 0;
																			 *((intOrPtr*)(_t847 - 0x2a8)) = 0;
																			 *((intOrPtr*)(_t847 - 0x2a4)) = 0;
																			 *((intOrPtr*)(_t847 - 0x284)) = 0;
																			 *((intOrPtr*)(_t847 - 0x27c)) = 0;
																			_t470 = E004096A4(0, _t836, _t843, __eflags);
																			_t836 = _t470;
																			_push(E00401647(_t847 - 0x18c, _t847, "\""));
																			_push(_t847 - 0x180);
																			_push(E00401647(_t847 - 0x248, _t847, L"\" /k=\""));
																			_push(_t847 - 0x124);
																			_push(E00401647(_t847 - 0x254, _t847, L" /m=\""));
																			_push(_t470);
																			_push(_t847 - 0x260);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0x23c);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xfc);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xc4);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xd0);
																			E004096A4(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0xc4)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0xfc)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x23c)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x260)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x26c)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x254)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x248)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *(_t847 - 0x18c));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_t852 =  &(_t852[8]);
																			_t496 = CreateProcessW(0,  *(_t847 - 0xd0), 0, 0, 0, 0, 0,  *(_t847 - 0x108), _t847 - 0x2b0, _t847 - 0x230); // executed
																			__eflags = _t496;
																			if(__eflags != 0) {
																				CloseHandle( *(_t847 - 0x22c));
																				_push( *(_t847 - 0xd0));
																				_t836 =  *(_t847 - 0x230);
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *(_t847 - 0x124));
																				L114:
																				L00408BFB(0, _t836, _t843, __eflags);
																				__eflags = _t836;
																				if(__eflags == 0) {
																					SetCurrentDirectoryW( *(_t847 - 0xf0));
																					_push( *(_t847 - 0xf0));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_push( *((intOrPtr*)(_t847 - 0x130)));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_t503 =  *(_t847 - 0xb8);
																					__eflags = _t503;
																					if(__eflags != 0) {
																						 *((intOrPtr*)( *_t503 + 8))(_t503);
																					}
																					E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags);
																					_t844 = 0;
																				} else {
																					WaitForSingleObject(_t836, 0xffffffff);
																					GetExitCodeProcess(_t836, _t847 - 0xe4); // executed
																					CloseHandle(_t836);
																					_t836 =  *(_t847 - 0xe4);
																					SetCurrentDirectoryW( *(_t847 - 0xf0)); // executed
																					_push( *(_t847 - 0xf0));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_push( *((intOrPtr*)(_t847 - 0x130)));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_t523 =  *(_t847 - 0xb8);
																					__eflags = _t523;
																					if(__eflags != 0) {
																						 *((intOrPtr*)( *_t523 + 8))(_t523);
																					}
																					E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags); // executed
																					_t844 = _t836;
																				}
																				goto L52;
																			} else {
																				__eflags =  *(_t847 - 0xb1);
																				if(__eflags == 0) {
																					E004119F6(0);
																				}
																				_push( *(_t847 - 0xd0));
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *(_t847 - 0x124));
																				L95:
																				L00408BFB(0, _t836, _t843, __eflags);
																				goto L87;
																			}
																		}
																		_t781 = _t847 - 0x118;
																		E004090CA(_t847 - 0x118, _t847, L"setup.exe");
																		_push( *((intOrPtr*)(_t847 - 0x118)));
																		_t558 = E00409421(0, _t831, _t836, SetCurrentDirectoryW, __eflags);
																		__eflags = _t558;
																		if(_t558 != 0) {
																			goto L101;
																		}
																		__eflags =  *(_t847 - 0xb1);
																		if(__eflags == 0) {
																			E00411936(0, _t781, _t836, SetCurrentDirectoryW, 0,  *0x4306a4);
																		}
																		goto L87;
																	}
																	E00404082(_t847 - 0xd0, _t847, _t847 - 0x1a8);
																	_t836 =  *(_t847 - 0xd0);
																	 *(_t847 - 0x220) = 0x3c;
																	 *((intOrPtr*)(_t847 - 0x21c)) = 0x140;
																	 *((intOrPtr*)(_t847 - 0x218)) = 0;
																	 *((intOrPtr*)(_t847 - 0x214)) = 0;
																	 *(_t847 - 0x210) = _t836;
																	__eflags =  *(_t847 - 0xd8);
																	if(__eflags != 0) {
																		E00408FDE(_t847 - 0x19c, __eflags, _t847 - 0xdc);
																	}
																	_t783 = _t847 - 0x124;
																	E00404082(_t847 - 0x124, _t847, _t847 - 0x19c);
																	asm("sbb eax, eax");
																	 *((intOrPtr*)(_t847 - 0x208)) = 0;
																	 *(_t847 - 0x20c) =  ~( *(_t847 - 0x120)) &  *(_t847 - 0x124);
																	 *((intOrPtr*)(_t847 - 0x204)) = 1;
																	 *(_t847 - 0x1e8) = 0;
																	ShellExecuteExW(_t847 - 0x220);
																	__eflags =  *((intOrPtr*)(_t847 - 0x200)) - 0x20;
																	if(__eflags > 0) {
																		_push( *(_t847 - 0x124));
																		_t836 =  *(_t847 - 0x1e8);
																		L00408BFB(0, _t836, _t843, __eflags);
																		_push( *(_t847 - 0xd0));
																		goto L114;
																	} else {
																		__eflags =  *(_t847 - 0xb1);
																		if(__eflags == 0) {
																			E00411936(0, _t783, _t836, _t843, 0,  *0x430698);
																		}
																		_push( *(_t847 - 0x124));
																		L00408BFB(0, _t836, _t843, __eflags);
																		_push(_t836);
																		goto L95;
																	}
																}
																L87:
																SetCurrentDirectoryW( *(_t847 - 0xf0));
																_push( *(_t847 - 0xf0));
																L85:
																L00408BFB(0, _t836, _t843, __eflags);
																_push( *((intOrPtr*)(_t847 - 0x130)));
																L00408BFB(0, _t836, _t843, __eflags);
																goto L72;
															}
															__eflags =  *(_t847 - 0xb1);
															if(__eflags != 0) {
																L84:
																_push( *(_t847 - 0x168));
																goto L85;
															}
															__eflags = _t843 - 1;
															if(_t843 == 1) {
																L78:
																E00408639(_t847 - 0x168, _t847, E0040C825(_t745, _t847 - 0xc4, 0xf));
																_push( *((intOrPtr*)(_t847 - 0xc4)));
																L00408BFB(0, _t836, _t843, __eflags);
																_pop(_t745);
																_t843 = 0x80004005;
																L79:
																__eflags = _t843 - 0x80004004;
																if(__eflags != 0) {
																	_push(0xa);
																	_push(_t847 - 0xc4);
																	__eflags =  *(_t847 - 0x164);
																	if( *(_t847 - 0x164) == 0) {
																		_t579 = E0040C825(_t745);
																		 *((intOrPtr*)(_t847 - 0x190)) = 0x424188;
																		 *(_t847 - 0x18c) = _t843;
																		 *((intOrPtr*)(_t847 - 0x188)) = 0;
																		 *((intOrPtr*)(_t847 - 0x184)) = 0;
																		MessageBoxW(0, E0041397A(_t847 - 0x190),  *_t579, 0x12010);
																		E00413802(_t847 - 0x190);
																	} else {
																		E0040C825(_t745);
																		MessageBoxW(0,  *(_t847 - 0x168), ??, ??);
																	}
																	_push( *((intOrPtr*)(_t847 - 0xc4)));
																	L00408BFB(0, _t836, _t843, __eflags);
																}
																goto L84;
															}
															__eflags =  *(_t847 - 0xb2);
															if( *(_t847 - 0xb2) == 0) {
																goto L79;
															}
															goto L78;
														} else {
															__eflags =  *(_t847 - 0xb1);
															if( *(_t847 - 0xb1) == 0) {
																E00411936(0, _t743, _t836, _t842, 0,  *0x43068c);
															}
															L72:
															_t531 =  *(_t847 - 0xb8);
															__eflags = _t531;
															if(__eflags != 0) {
																 *((intOrPtr*)( *_t531 + 8))(_t531);
															}
															L65:
															E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags);
															_t844 = 1;
															L52:
															_push( *((intOrPtr*)(_t847 - 0x118)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x150)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1c0)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x15c)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x180)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x174)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x19c)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1a8)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0xdc)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1e4)));
															L00408BFB(0, _t836, _t844, __eflags);
															_t368 = _t844;
															L4:
															_pop(_t834);
															_pop(_t839);
															_pop(_t694);
															return E00416B12(_t368, _t694,  *(_t847 + 0x64) ^ _t847, _t831, _t834, _t839);
														}
													}
													__eflags =  *(_t847 - 0xb1);
													if(__eflags == 0) {
														E00411936(0, _t740, _t836, _t841, 0,  *0x43065c);
													}
													goto L65;
												}
												_push(_t847 - 0x144);
												_push(_t847 - 0x1c0);
												 *((intOrPtr*)(_t847 - 0x140)) = 0;
												 *((intOrPtr*)(_t847 - 0x13c)) = 0;
												 *((intOrPtr*)(_t847 - 0x138)) = 0;
												 *((intOrPtr*)(_t847 - 0x134)) = 4;
												 *((intOrPtr*)(_t847 - 0x144)) = 0x4242e0;
												_t592 = E00408E31(0, MessageBoxW, _t841, __eflags);
												__eflags = _t592;
												if(_t592 != 0) {
													E00401647(_t847 - 0xd0, _t847, L"Title");
													E00408DF4(_t847 - 0xd0, _t847 - 0x1b4, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"BeginPrompt";
													E00401647(_t847 - 0xd0, _t847,  *(_t847 - 0xd0));
													E00408DF4(_t847 - 0xd0, _t847 - 0x1cc, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"Progress";
													E00401647(_t847 - 0xd0, _t847,  *(_t847 - 0xd0));
													E00408DF4(_t847 - 0xd0, _t847 - 0x1d8, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"no";
													_t611 = E004089E5(_t847 - 0xd0,  *((intOrPtr*)(_t847 - 0x1d8)),  *(_t847 - 0xd0));
													__eflags = _t611;
													if(_t611 == 0) {
														 *(_t847 - 0xe4) = 0;
													}
													E00401647(_t847 - 0xd0, _t847, L"Directory");
													_t615 = E00408DBE(_t847 - 0x144, _t847 - 0xd0);
													_push( *(_t847 - 0xd0));
													_t843 = _t615;
													L00408BFB(0, _t836, _t843, __eflags);
													__eflags = _t843;
													if(_t843 >= 0) {
														__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t847 - 0x138)) + _t843 * 4)) + 0xc;
														E00408639(_t847 - 0x150, _t847,  *((intOrPtr*)( *((intOrPtr*)(_t847 - 0x138)) + _t843 * 4)) + 0xc);
													}
													__eflags =  *(_t847 - 0x1c8);
													if( *(_t847 - 0x1c8) == 0) {
														L61:
														E00401647(_t847 - 0xd0, _t847, L"RunProgram");
														E00408639(_t847 - 0x118, _t847, E00408DF4(_t847 - 0xd0, _t847 - 0xc4, _t847 - 0x144, _t847 - 0xd0));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														E00401647(_t847 - 0xd0, _t847, L"ExecuteFile");
														E00408639(_t847 - 0x1a8, _t847, E00408DF4(_t847 - 0xd0, _t847 - 0xc4, _t847 - 0x144, _t847 - 0xd0));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														E00401647(_t847 - 0xd0, _t847, L"ExecuteParameters");
														_push(_t847 - 0xdc);
														_push(E00408DF4(_t847 - 0xd0, _t847 - 0xfc, _t847 - 0x144, _t847 - 0xd0));
														_push(_t847 - 0xc4);
														E00408639(_t847 - 0x19c, _t847, E004096A4(0, _t836, _t843, __eflags));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *((intOrPtr*)(_t847 - 0xfc)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *((intOrPtr*)(_t847 - 0x1d8)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1cc));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1b4));
														L00408BFB(0, _t836, _t843, __eflags);
														_t852 =  &(_t852[6]);
														E00413B6D(0, _t847 - 0x144, _t836, _t843, __eflags);
														goto L62;
													} else {
														__eflags =  *(_t847 - 0xb1);
														if( *(_t847 - 0xb1) != 0) {
															goto L61;
														}
														__eflags = MessageBoxW(0,  *(_t847 - 0x1cc),  *(_t847 - 0x1b4), 0x24) - 6;
														if(__eflags == 0) {
															goto L61;
														}
														_push( *((intOrPtr*)(_t847 - 0x1d8)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1cc));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1b4));
														L00408BFB(0, _t836, _t843, __eflags);
														_t852 =  &(_t852[3]);
														_t844 = 0;
														L51:
														E00413B6D(0, _t847 - 0x144, _t836, _t844, __eflags);
														goto L52;
													}
												}
												__eflags =  *(_t847 - 0xb1);
												if( *(_t847 - 0xb1) == 0) {
													E00411936(0, _t738, MessageBoxW, _t841, 0,  *0x430650);
												}
												_t844 = 1;
												__eflags = 1;
												goto L51;
											} else {
												__eflags =  *(_t847 - 0xb1);
												if(__eflags == 0) {
													E00411936(0, _t736, _t835, _t841, 0,  *0x430644);
												}
												_push( *((intOrPtr*)(_t847 - 0x1c0)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x15c)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x180)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x174)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x19c)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x1a8)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0xdc)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x1e4)));
												L00408BFB(0, _t835, _t841, __eflags);
												goto L3;
											}
										}
										 *(_t847 - 0xb8) = 0xf;
										_t843 = E00401647(_t847 - 0xd0, _t847, L"/y");
										_t681 = E004089E5(_t847 - 0xdc,  *((intOrPtr*)(E00408730(_t847 - 0xdc, _t847 - 0xc4, 2))),  *_t678);
										 *(_t847 - 0xb2) = 0;
										__eflags = _t681;
										if(_t681 != 0) {
											goto L32;
										}
										goto L31;
									}
									_t682 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-S");
									__eflags = _t682;
									if(_t682 != 0) {
										goto L28;
									}
									_t683 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/s");
									__eflags = _t683;
									if(_t683 != 0) {
										goto L28;
									}
									_t684 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/S");
									 *((char*)(_t847 - 0xe0)) = 0;
									__eflags = _t684;
									if(_t684 == 0) {
										goto L29;
									}
									goto L28;
								}
								_t840 = L"/k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/k=");
								__eflags = _t835;
								if(_t835 == 0) {
									goto L22;
								}
								goto L17;
							}
							L13:
							 *(_t847 - 0xb1) = 1;
							goto L17;
						}
						L11:
						E00413A48(0, __eflags);
						goto L12;
					}
					__eflags =  *(_t847 - 0xa8);
					if(__eflags != 0) {
						L8:
						__eflags =  *(_t847 - 0xa8) - 1;
						if(__eflags >= 0) {
							goto L11;
						} else {
							__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
							goto L10;
						}
					}
					E004138BE(0, _t831, __eflags);
					__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
					if(__eflags != 0) {
						goto L10;
					}
					goto L8;
				}
			}






















































                                                            0x00413f63
                                                            0x00413f63
                                                            0x00413f64
                                                            0x00413f68
                                                            0x00413f6e
                                                            0x00413f75
                                                            0x00413f7f
                                                            0x00413f86
                                                            0x00413f8c
                                                            0x00413f9d
                                                            0x00413fa7
                                                            0x00413fb9
                                                            0x00413fbe
                                                            0x00413fc0
                                                            0x00000000
                                                            0x00413fd5
                                                            0x00413fd6
                                                            0x00413fdc
                                                            0x00413fe2
                                                            0x00413fef
                                                            0x00413ff4
                                                            0x00413ffe
                                                            0x00414004
                                                            0x00414006
                                                            0x0041400d
                                                            0x00414035
                                                            0x00414035
                                                            0x0041403c
                                                            0x00414042
                                                            0x0041404d
                                                            0x00414058
                                                            0x00414063
                                                            0x00414075
                                                            0x00414080
                                                            0x00414087
                                                            0x0041408e
                                                            0x0041408f
                                                            0x00414094
                                                            0x0041409a
                                                            0x0041409f
                                                            0x004140b4
                                                            0x004140b9
                                                            0x004140bf
                                                            0x004140c4
                                                            0x004140d9
                                                            0x004140de
                                                            0x004140e4
                                                            0x004140e9
                                                            0x004140fe
                                                            0x00414103
                                                            0x00414109
                                                            0x0041410e
                                                            0x00414123
                                                            0x00414128
                                                            0x0041412e
                                                            0x00414133
                                                            0x00414148
                                                            0x0041414d
                                                            0x00414153
                                                            0x00414158
                                                            0x0041416d
                                                            0x00414172
                                                            0x00414178
                                                            0x0041417d
                                                            0x00414192
                                                            0x00414197
                                                            0x0041419d
                                                            0x004141a2
                                                            0x004141b7
                                                            0x004141bc
                                                            0x004141c2
                                                            0x004141c7
                                                            0x004141dc
                                                            0x004141e7
                                                            0x004141ec
                                                            0x004141f3
                                                            0x004141fe
                                                            0x00414204
                                                            0x0041420b
                                                            0x00414216
                                                            0x0041421b
                                                            0x00414227
                                                            0x00414232
                                                            0x00414236
                                                            0x00414238
                                                            0x00414243
                                                            0x00414254
                                                            0x00414258
                                                            0x0041425a
                                                            0x00000000
                                                            0x00000000
                                                            0x0041425c
                                                            0x0041426d
                                                            0x00414271
                                                            0x00414273
                                                            0x0041428e
                                                            0x00414294
                                                            0x00414298
                                                            0x0041429a
                                                            0x004142a2
                                                            0x004142a3
                                                            0x004142a9
                                                            0x004142b2
                                                            0x004142ab
                                                            0x004142ab
                                                            0x004142ab
                                                            0x004142b7
                                                            0x004142b8
                                                            0x004142b8
                                                            0x004142bd
                                                            0x004142bd
                                                            0x004142c3
                                                            0x004142d6
                                                            0x004142db
                                                            0x004142ea
                                                            0x004142ea
                                                            0x004142fa
                                                            0x00414301
                                                            0x00414303
                                                            0x0041434d
                                                            0x0041434d
                                                            0x00414354
                                                            0x0041435a
                                                            0x0041436c
                                                            0x00414377
                                                            0x00414382
                                                            0x00414398
                                                            0x0041439e
                                                            0x004143ad
                                                            0x004143c7
                                                            0x004143cc
                                                            0x004143ce
                                                            0x00414413
                                                            0x00414413
                                                            0x0041441a
                                                            0x0041441a
                                                            0x00414421
                                                            0x00414423
                                                            0x00414429
                                                            0x00414429
                                                            0x00414429
                                                            0x00414430
                                                            0x00414435
                                                            0x00414436
                                                            0x0041443d
                                                            0x0041443f
                                                            0x00414445
                                                            0x00414445
                                                            0x00414445
                                                            0x0041444c
                                                            0x00414451
                                                            0x00414452
                                                            0x00414459
                                                            0x0041445b
                                                            0x00414461
                                                            0x00414461
                                                            0x00414461
                                                            0x00414468
                                                            0x0041446d
                                                            0x0041446e
                                                            0x00414475
                                                            0x00414477
                                                            0x0041447d
                                                            0x00414482
                                                            0x00414483
                                                            0x00414489
                                                            0x0041449a
                                                            0x004144ad
                                                            0x004144b2
                                                            0x004144b8
                                                            0x004144c4
                                                            0x004144cf
                                                            0x004144cf
                                                            0x004144da
                                                            0x004144df
                                                            0x004144eb
                                                            0x004144ec
                                                            0x004144f1
                                                            0x004144f6
                                                            0x004144fb
                                                            0x004144fd
                                                            0x0041457e
                                                            0x00414583
                                                            0x00414589
                                                            0x0041458e
                                                            0x00414594
                                                            0x0041459b
                                                            0x004145a1
                                                            0x00414915
                                                            0x0041491b
                                                            0x00414921
                                                            0x0041492c
                                                            0x00414937
                                                            0x00414939
                                                            0x00414964
                                                            0x0041496a
                                                            0x0041496c
                                                            0x00414979
                                                            0x00414979
                                                            0x0041496e
                                                            0x00414975
                                                            0x00414975
                                                            0x00414982
                                                            0x00414987
                                                            0x00414989
                                                            0x0041498e
                                                            0x00414990
                                                            0x004149c5
                                                            0x004149ca
                                                            0x004149d0
                                                            0x004149d6
                                                            0x004149db
                                                            0x004149e7
                                                            0x004149e8
                                                            0x004149f0
                                                            0x004149f7
                                                            0x004149f8
                                                            0x00414a04
                                                            0x00414a0b
                                                            0x00414a0c
                                                            0x00414a12
                                                            0x00414a14
                                                            0x00414a16
                                                            0x00414afc
                                                            0x00414b02
                                                            0x00414b0e
                                                            0x00414b19
                                                            0x00414b1f
                                                            0x00414b21
                                                            0x00414b23
                                                            0x00414b35
                                                            0x00414b3b
                                                            0x00414c35
                                                            0x00414c3b
                                                            0x00414c79
                                                            0x00414c7f
                                                            0x00414c8a
                                                            0x00414c91
                                                            0x00414c96
                                                            0x00414c98
                                                            0x00414ca0
                                                            0x00414cab
                                                            0x00414cb2
                                                            0x00414cc4
                                                            0x00414cc9
                                                            0x00414ccf
                                                            0x00414cd4
                                                            0x00414ce0
                                                            0x00414ce7
                                                            0x00414ce9
                                                            0x00414d5c
                                                            0x00414d62
                                                            0x00414d6b
                                                            0x00414d6b
                                                            0x00414ceb
                                                            0x00414cf8
                                                            0x00414d04
                                                            0x00414d14
                                                            0x00414d24
                                                            0x00414d3d
                                                            0x00414d42
                                                            0x00414d48
                                                            0x00414d4d
                                                            0x00414d53
                                                            0x00414d59
                                                            0x00414d70
                                                            0x00414d76
                                                            0x00414d80
                                                            0x00414d92
                                                            0x00414d92
                                                            0x00414d99
                                                            0x00414da6
                                                            0x00414dad
                                                            0x00414db4
                                                            0x00414db5
                                                            0x00414dbf
                                                            0x00414dc5
                                                            0x00414dcb
                                                            0x00414dd1
                                                            0x00414dd7
                                                            0x00414ddd
                                                            0x00414ded
                                                            0x00414df4
                                                            0x00414dfb
                                                            0x00414e0c
                                                            0x00414e13
                                                            0x00414e24
                                                            0x00414e25
                                                            0x00414e2c
                                                            0x00414e32
                                                            0x00414e39
                                                            0x00414e3f
                                                            0x00414e46
                                                            0x00414e4c
                                                            0x00414e53
                                                            0x00414e59
                                                            0x00414e60
                                                            0x00414e61
                                                            0x00414e66
                                                            0x00414e6c
                                                            0x00414e71
                                                            0x00414e77
                                                            0x00414e7c
                                                            0x00414e82
                                                            0x00414e87
                                                            0x00414e8d
                                                            0x00414e92
                                                            0x00414e98
                                                            0x00414e9d
                                                            0x00414ea3
                                                            0x00414ea8
                                                            0x00414eae
                                                            0x00414eb3
                                                            0x00414eb9
                                                            0x00414ebe
                                                            0x00414ee1
                                                            0x00414ee7
                                                            0x00414ee9
                                                            0x00414f15
                                                            0x00414f1b
                                                            0x00414f21
                                                            0x00414f27
                                                            0x00414f2c
                                                            0x00414f32
                                                            0x00414f32
                                                            0x00414f39
                                                            0x00414f3b
                                                            0x00414fa9
                                                            0x00414fab
                                                            0x00414fb1
                                                            0x00414fb6
                                                            0x00414fbc
                                                            0x00414fc1
                                                            0x00414fc9
                                                            0x00414fcb
                                                            0x00414fd0
                                                            0x00414fd0
                                                            0x00414fd9
                                                            0x00414fde
                                                            0x00414f3d
                                                            0x00414f40
                                                            0x00414f4e
                                                            0x00414f55
                                                            0x00414f61
                                                            0x00414f67
                                                            0x00414f69
                                                            0x00414f6f
                                                            0x00414f74
                                                            0x00414f7a
                                                            0x00414f7f
                                                            0x00414f87
                                                            0x00414f89
                                                            0x00414f8e
                                                            0x00414f8e
                                                            0x00414f97
                                                            0x00414f9c
                                                            0x00414f9c
                                                            0x00000000
                                                            0x00414eeb
                                                            0x00414eeb
                                                            0x00414ef1
                                                            0x00414ef4
                                                            0x00414ef4
                                                            0x00414ef9
                                                            0x00414eff
                                                            0x00414f04
                                                            0x00414c0d
                                                            0x00414c0d
                                                            0x00000000
                                                            0x00414c13
                                                            0x00414ee9
                                                            0x00414c42
                                                            0x00414c48
                                                            0x00414c4d
                                                            0x00414c53
                                                            0x00414c58
                                                            0x00414c5a
                                                            0x00000000
                                                            0x00000000
                                                            0x00414c5c
                                                            0x00414c62
                                                            0x00414c6f
                                                            0x00414c6f
                                                            0x00000000
                                                            0x00414c62
                                                            0x00414b4e
                                                            0x00414b53
                                                            0x00414b59
                                                            0x00414b63
                                                            0x00414b6d
                                                            0x00414b73
                                                            0x00414b79
                                                            0x00414b7f
                                                            0x00414b85
                                                            0x00414b94
                                                            0x00414b94
                                                            0x00414ba0
                                                            0x00414ba6
                                                            0x00414bb3
                                                            0x00414bbb
                                                            0x00414bc1
                                                            0x00414bce
                                                            0x00414bd8
                                                            0x00414bde
                                                            0x00414be4
                                                            0x00414beb
                                                            0x00414c19
                                                            0x00414c1f
                                                            0x00414c25
                                                            0x00414c2a
                                                            0x00000000
                                                            0x00414bed
                                                            0x00414bed
                                                            0x00414bf3
                                                            0x00414bfc
                                                            0x00414bfc
                                                            0x00414c01
                                                            0x00414c07
                                                            0x00414c0c
                                                            0x00000000
                                                            0x00414c0c
                                                            0x00414beb
                                                            0x00414b25
                                                            0x00414b2b
                                                            0x00414b2d
                                                            0x00414ae5
                                                            0x00414ae5
                                                            0x00414aea
                                                            0x00414af0
                                                            0x00000000
                                                            0x00414af6
                                                            0x00414a1c
                                                            0x00414a22
                                                            0x00414adf
                                                            0x00414adf
                                                            0x00000000
                                                            0x00414adf
                                                            0x00414a28
                                                            0x00414a2b
                                                            0x00414a35
                                                            0x00414a4a
                                                            0x00414a4f
                                                            0x00414a55
                                                            0x00414a5a
                                                            0x00414a5b
                                                            0x00414a60
                                                            0x00414a60
                                                            0x00414a66
                                                            0x00414a68
                                                            0x00414a70
                                                            0x00414a71
                                                            0x00414a77
                                                            0x00414a90
                                                            0x00414aa3
                                                            0x00414aad
                                                            0x00414ab3
                                                            0x00414ab9
                                                            0x00414ac6
                                                            0x00414ace
                                                            0x00414a79
                                                            0x00414a79
                                                            0x00414a8c
                                                            0x00414a8c
                                                            0x00414ad3
                                                            0x00414ad9
                                                            0x00414ade
                                                            0x00000000
                                                            0x00414a66
                                                            0x00414a2d
                                                            0x00414a33
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00414992
                                                            0x00414992
                                                            0x00414998
                                                            0x004149a1
                                                            0x004149a1
                                                            0x004149a6
                                                            0x004149a6
                                                            0x004149ac
                                                            0x004149ae
                                                            0x004149b3
                                                            0x004149b3
                                                            0x0041494f
                                                            0x00414955
                                                            0x0041495c
                                                            0x0041460a
                                                            0x0041460a
                                                            0x00414610
                                                            0x00414615
                                                            0x0041461b
                                                            0x00414620
                                                            0x00414626
                                                            0x0041462b
                                                            0x00414631
                                                            0x00414636
                                                            0x0041463c
                                                            0x00414641
                                                            0x00414647
                                                            0x0041464c
                                                            0x00414652
                                                            0x00414657
                                                            0x0041465d
                                                            0x00414662
                                                            0x00414668
                                                            0x0041466d
                                                            0x00414673
                                                            0x0041467b
                                                            0x00413fc1
                                                            0x00413fc4
                                                            0x00413fc5
                                                            0x00413fc8
                                                            0x00413fd2
                                                            0x00413fd2
                                                            0x00414990
                                                            0x0041493b
                                                            0x00414941
                                                            0x0041494a
                                                            0x0041494a
                                                            0x00000000
                                                            0x00414941
                                                            0x004145ad
                                                            0x004145b4
                                                            0x004145b5
                                                            0x004145bb
                                                            0x004145c1
                                                            0x004145c7
                                                            0x004145d1
                                                            0x004145db
                                                            0x004145e0
                                                            0x004145e2
                                                            0x0041468d
                                                            0x004146a7
                                                            0x004146b2
                                                            0x004146bd
                                                            0x004146c4
                                                            0x004146de
                                                            0x004146e9
                                                            0x004146f4
                                                            0x004146fb
                                                            0x00414715
                                                            0x00414720
                                                            0x00414725
                                                            0x00414732
                                                            0x00414737
                                                            0x00414739
                                                            0x0041473b
                                                            0x0041473b
                                                            0x0041474c
                                                            0x0041475f
                                                            0x00414764
                                                            0x0041476a
                                                            0x0041476c
                                                            0x00414771
                                                            0x00414774
                                                            0x0041477f
                                                            0x00414789
                                                            0x00414789
                                                            0x0041478e
                                                            0x00414794
                                                            0x004147df
                                                            0x004147ea
                                                            0x00414810
                                                            0x00414815
                                                            0x0041481b
                                                            0x00414820
                                                            0x00414826
                                                            0x00414838
                                                            0x0041485e
                                                            0x00414863
                                                            0x00414869
                                                            0x0041486e
                                                            0x00414874
                                                            0x00414886
                                                            0x00414891
                                                            0x004148ac
                                                            0x004148b3
                                                            0x004148c0
                                                            0x004148c5
                                                            0x004148cb
                                                            0x004148d0
                                                            0x004148d6
                                                            0x004148db
                                                            0x004148e1
                                                            0x004148e6
                                                            0x004148ec
                                                            0x004148f1
                                                            0x004148f7
                                                            0x004148fc
                                                            0x00414902
                                                            0x00414907
                                                            0x00414910
                                                            0x00000000
                                                            0x00414796
                                                            0x00414796
                                                            0x0041479c
                                                            0x00000000
                                                            0x00000000
                                                            0x004147af
                                                            0x004147b2
                                                            0x00000000
                                                            0x00000000
                                                            0x004147b4
                                                            0x004147ba
                                                            0x004147bf
                                                            0x004147c5
                                                            0x004147ca
                                                            0x004147d0
                                                            0x004147d5
                                                            0x004147d8
                                                            0x004145ff
                                                            0x00414605
                                                            0x00000000
                                                            0x00414605
                                                            0x00414794
                                                            0x004145e8
                                                            0x004145ee
                                                            0x004145f7
                                                            0x004145f7
                                                            0x004145fe
                                                            0x004145fe
                                                            0x00000000
                                                            0x004144ff
                                                            0x004144ff
                                                            0x00414505
                                                            0x0041450e
                                                            0x0041450e
                                                            0x00414513
                                                            0x00414519
                                                            0x0041451e
                                                            0x00414524
                                                            0x00414529
                                                            0x0041452f
                                                            0x00414534
                                                            0x0041453a
                                                            0x0041453f
                                                            0x00414545
                                                            0x0041454a
                                                            0x00414550
                                                            0x00414555
                                                            0x0041455b
                                                            0x00414560
                                                            0x00414566
                                                            0x00000000
                                                            0x0041456b
                                                            0x004144fd
                                                            0x004143db
                                                            0x004143ea
                                                            0x00414404
                                                            0x00414409
                                                            0x0041440f
                                                            0x00414411
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00414411
                                                            0x00414310
                                                            0x00414317
                                                            0x00414319
                                                            0x00000000
                                                            0x00000000
                                                            0x00414326
                                                            0x0041432d
                                                            0x0041432f
                                                            0x00000000
                                                            0x00000000
                                                            0x0041433c
                                                            0x00414343
                                                            0x00414349
                                                            0x0041434b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041434b
                                                            0x00414275
                                                            0x00414286
                                                            0x0041428a
                                                            0x0041428c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041428c
                                                            0x0041423a
                                                            0x0041423a
                                                            0x00000000
                                                            0x0041423a
                                                            0x00414037
                                                            0x00414037
                                                            0x00000000
                                                            0x00414037
                                                            0x0041400f
                                                            0x00414015
                                                            0x00414025
                                                            0x00414025
                                                            0x0041402c
                                                            0x00000000
                                                            0x0041402e
                                                            0x0041402e
                                                            0x00000000
                                                            0x0041402e
                                                            0x0041402c
                                                            0x00414017
                                                            0x0041401c
                                                            0x00414023
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00414023

                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 00413FA3
                                                            • CoInitialize.OLE32(00000000), ref: 00413FD6
                                                            • _memset.LIBCMT ref: 00413FEF
                                                            • GetVersionExW.KERNEL32(?), ref: 00414004
                                                            • GetCommandLineW.KERNEL32 ref: 00414068
                                                              • Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                            • _wcslen.LIBCMT ref: 0041428F
                                                              • Part of subcall function 004089E5: CharUpperW.USER32(?), ref: 00408A0F
                                                              • Part of subcall function 004089E5: CharUpperW.USER32(?), ref: 00408A1B
                                                              • Part of subcall function 00408E31: __EH_prolog3.LIBCMT ref: 00408E38
                                                            • ~_Task_impl.LIBCPMT ref: 00414605
                                                            • MessageBoxW.USER32(00000000,?,?,00000024), ref: 004147AD
                                                            • ~_Task_impl.LIBCPMT ref: 00414910
                                                              • Part of subcall function 00413B6D: __EH_prolog3.LIBCMT ref: 00413B74
                                                            • MessageBoxW.USER32(00000000,?,00000000,00012010), ref: 00414A8C
                                                              • Part of subcall function 00411936: MessageBoxW.USER32(?,?,?,00012010), ref: 00411955
                                                              • Part of subcall function 0041397A: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 0041399D
                                                              • Part of subcall function 0041397A: lstrlenW.KERNEL32(00000000), ref: 004139AA
                                                            • MessageBoxW.USER32(00000000,00000000,?,00012010), ref: 00414AC6
                                                              • Part of subcall function 00413802: LocalFree.KERNEL32(?), ref: 00413820
                                                              • Part of subcall function 00413E7B: __EH_prolog3.LIBCMT ref: 00413E82
                                                            • SetCurrentDirectoryW.KERNELBASE(?,?,00000000,004243F8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414B1F
                                                            • SetCurrentDirectoryW.KERNEL32(?,setup.exe), ref: 00414B2B
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00414BDE
                                                            • CreateProcessW.KERNELBASE ref: 00414EE1
                                                            • CloseHandle.KERNEL32(?), ref: 00414F15
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00414F40
                                                            • GetExitCodeProcess.KERNELBASE ref: 00414F4E
                                                            • CloseHandle.KERNEL32(?), ref: 00414F55
                                                            • SetCurrentDirectoryW.KERNELBASE(?), ref: 00414F67
                                                              • Part of subcall function 00409421: __EH_prolog3.LIBCMT ref: 00409428
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00414FA9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Message$CurrentDirectoryH_prolog3$CharCloseHandleProcessTask_implUpperVersion$CodeCommandCreateException@8ExecuteExitFormatFreeInitializeLineLocalObjectShellSingleThrowWait_malloc_memset_wcslenlstrlen
                                                            • String ID: $ /m="$"$" /k="$"-k=$"/k=$%%T$%%T\$-k=$/k=$;!@Install@!UTF-8!$;!@InstallEnd@!$Directory$ExecuteFile$ExecuteParameters$RunProgram$Title$setup.exe$BB
                                                            • API String ID: 3256839097-2619287984
                                                            • Opcode ID: a9d9a0855de43823dfb4dfec05b57706af315ca4f4bb22283350850105dcec06
                                                            • Instruction ID: 0adf49adcb97444a0658e12179214cffe8ab958646542027bda483d16c8951a9
                                                            • Opcode Fuzzy Hash: a9d9a0855de43823dfb4dfec05b57706af315ca4f4bb22283350850105dcec06
                                                            • Instruction Fuzzy Hash: 3D926B71804229AEDB21AB61DD92FDEB779AF44314F0041EFB149720A2DF395EC49F68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409263, Relevance: 4.6, APIs: 3, Instructions: 62fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E00409263(void* __ebx, void** __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t17;
				void* _t24;
				intOrPtr _t27;
				void* _t34;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t45;
				void** _t47;
				intOrPtr _t48;
				WCHAR* _t50;
				intOrPtr _t52;
				struct _WIN32_FIND_DATAW* _t53;
				void* _t55;

				_t45 = __edx;
				_t53 = _t55 - 0x24c;
				_t17 =  *0x42d330; // 0x6d29bea0
				 *(_t53 + 0x250) = _t17 ^ _t53;
				_push(0x10);
				E00416B21(E004215F5, __ebx, __edi, __esi);
				_t50 =  *(_t53 + 0x25c);
				_t47 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) =  *((intOrPtr*)(_t53 + 0x260));
				if(E004091A4(__ecx) != 0) {
					_t36 = FindFirstFileW;
					_t24 = FindFirstFileW(_t50, _t53); // executed
					 *_t47 = _t24;
					__eflags = _t24 - 0xffffffff;
					if(__eflags != 0) {
						L6:
						E00409208(_t53, _t45,  *((intOrPtr*)(_t53 - 0x10)), __eflags);
						_t27 = 1;
					} else {
						E0040320A(_t53 - 0x1c);
						 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
						__eflags = E00409876(__eflags, _t50, _t53 - 0x1c);
						if(__eflags != 0) {
							_t34 = FindFirstFileW( *(_t53 - 0x1c), _t53); // executed
							 *_t47 = _t34;
						}
						_push( *(_t53 - 0x1c));
						 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
						L00408BFB(_t36, _t47, _t50, __eflags);
						__eflags =  *_t47 - 0xffffffff;
						if(__eflags == 0) {
							goto L1;
						} else {
							goto L6;
						}
					}
				} else {
					L1:
					_t27 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				_pop(_t48);
				_pop(_t52);
				_pop(_t37);
				return E00416B12(_t27, _t37,  *(_t53 + 0x250) ^ _t53, _t45, _t48, _t52);
			}

















                                                            0x00409263
                                                            0x0040926a
                                                            0x0040926e
                                                            0x00409275
                                                            0x0040927b
                                                            0x00409282
                                                            0x0040928d
                                                            0x00409293
                                                            0x00409295
                                                            0x0040929f
                                                            0x004092a5
                                                            0x004092b0
                                                            0x004092b2
                                                            0x004092b4
                                                            0x004092b7
                                                            0x004092f0
                                                            0x004092f6
                                                            0x004092fb
                                                            0x004092b9
                                                            0x004092bc
                                                            0x004092c1
                                                            0x004092cf
                                                            0x004092d1
                                                            0x004092da
                                                            0x004092dc
                                                            0x004092dc
                                                            0x004092de
                                                            0x004092e1
                                                            0x004092e5
                                                            0x004092ea
                                                            0x004092ee
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004092ee
                                                            0x004092a1
                                                            0x004092a1
                                                            0x004092a1
                                                            0x004092a1
                                                            0x00409300
                                                            0x00409308
                                                            0x00409309
                                                            0x0040930a
                                                            0x0040931f

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00409282
                                                              • Part of subcall function 004091A4: FindClose.KERNELBASE ref: 004091AF
                                                            • FindFirstFileW.KERNELBASE(?,00000000,00000010), ref: 004092B0
                                                            • FindFirstFileW.KERNELBASE(?,00000000,?,?), ref: 004092DA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Find$FileFirst$CloseH_prolog3
                                                            • String ID:
                                                            • API String ID: 410050502-0
                                                            • Opcode ID: 975f62184b0334722376676e6a1b5c0cce0942489d580ab71d93cee25a15793a
                                                            • Instruction ID: 90385d78ba4da19f661f7c17792072272f02829a24cb1b28e9608c506c2898f7
                                                            • Opcode Fuzzy Hash: 975f62184b0334722376676e6a1b5c0cce0942489d580ab71d93cee25a15793a
                                                            • Instruction Fuzzy Hash: FD21A531900209ABDF10EF64DC456EEB3B4FF54325F50457EE824A72C2DB39AE059B18
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00413A48, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 97%
                                                            			E00413A48(void* __ebx, void* __eflags) {
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t43;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;
				void* _t55;
				signed int _t56;
				void* _t58;

				_t56 = _t58 - 0x39c;
				_t19 =  *0x42d330; // 0x6d29bea0
				 *(_t56 + 0x398) = _t19 ^ _t56;
				 *(_t56 - 0x78) = 0;
				E00417D60(0x206, _t56 - 0x76, 0, 0x206);
				GetModuleFileNameW(0, _t56 - 0x78, 0x208);
				 *(_t56 + 0x190) = 0;
				E00417D60(0x206, _t56 + 0x192, 0, 0x206);
				E00417F66(_t56 + 0x190, 0x104, L"Applications\\");
				E00417ECB(_t56 + 0x190, 0x104, E00417E68(_t56 - 0x78, 0x5c) + 2);
				 *(_t56 - 0x7c) = 0;
				RegCreateKeyExW(0x80000000, _t56 + 0x190, 0, 0, 0, 0xf003f, 0, _t56 - 0x7c, 0); // executed
				 *(_t56 - 0x80) = 0;
				RegSetValueExW( *(_t56 - 0x7c), L"IsHostApp", 0, 1, _t56 - 0x80, 2); // executed
				_t43 = RegCloseKey( *(_t56 - 0x7c));
				_t52 = _t49;
				_t55 = _t53;
				return E00416B12(_t43, __ebx,  *(_t56 + 0x398) ^ _t56, _t48, _t52, _t55);
			}














                                                            0x00413a49
                                                            0x00413a56
                                                            0x00413a5d
                                                            0x00413a6d
                                                            0x00413a78
                                                            0x00413a8a
                                                            0x00413a93
                                                            0x00413aa2
                                                            0x00413ab9
                                                            0x00413ad4
                                                            0x00413af6
                                                            0x00413af9
                                                            0x00413b03
                                                            0x00413b16
                                                            0x00413b1f
                                                            0x00413b2b
                                                            0x00413b2e
                                                            0x00413b3b

                                                            APIs
                                                            • _memset.LIBCMT ref: 00413A78
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00413A8A
                                                            • _memset.LIBCMT ref: 00413AA2
                                                            • _wcsrchr.LIBCMT ref: 00413AC4
                                                            • RegCreateKeyExW.KERNELBASE(80000000,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00413AF9
                                                            • RegSetValueExW.KERNELBASE(?,IsHostApp,00000000,00000001,?,00000002), ref: 00413B16
                                                            • RegCloseKey.ADVAPI32(?), ref: 00413B1F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseCreateFileModuleNameValue_wcsrchr
                                                            • String ID: Applications\$IsHostApp
                                                            • API String ID: 1474337858-1667566961
                                                            • Opcode ID: 5e3dc54ae11a1f9641f6188a72024ae741d618748a8b804301cdbc1b71d582ac
                                                            • Instruction ID: f3e52b5f11f812091451beb3f7458e6075dc3339fdcbbde6c0cf17278445c60e
                                                            • Opcode Fuzzy Hash: 5e3dc54ae11a1f9641f6188a72024ae741d618748a8b804301cdbc1b71d582ac
                                                            • Instruction Fuzzy Hash: DD216072A00258BADB31AFB1EC49EEF7BBCEF49704F10002ABA19D7141D6745644CBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004107BB, Relevance: 15.1, APIs: 10, Instructions: 129windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 547 4107bb-4107ca 548 410901-410912 547->548 549 4107d0-4107d3 547->549 552 410917-41091a 548->552 550 4108e1-4108e6 549->550 551 4107d9-4107dc 549->551 553 4108e8-4108fb GetDesktopWindow SetForegroundWindow 550->553 554 4108fd-4108ff 550->554 555 4108d2-4108df 551->555 556 4107e2-4107e5 551->556 557 4108ce-4108d0 553->557 554->552 555->552 558 4108c7-4108c9 556->558 559 4107eb-4107f0 556->559 557->552 558->557 561 4108b1-4108b3 559->561 562 4107f6-4107f7 559->562 580 4108b5 call 411a09 561->580 581 4108b5 call 410729 561->581 582 4108b5 call 41203e 561->582 563 4108a2-4108af 562->563 564 4107fd-4107ff 562->564 563->552 565 410893-41089d call 411ec8 564->565 566 410805-41080e 564->566 574 4108a0 565->574 569 410810-410815 ShowWindow 566->569 570 41084b-41084e 566->570 567 4108b8-4108c5 SetEvent 567->552 571 41081b-41082b PeekMessageW 569->571 572 410850-410855 ShowWindow 570->572 573 41088b-41088e 570->573 571->571 575 41082d-410848 call 41079e SetEvent 571->575 576 41085b-41086b PeekMessageW 572->576 573->552 574->552 575->570 576->576 578 41086d-410885 MessageBoxW SetEvent 576->578 578->573 580->567 581->567 582->567
                                                            C-Code - Quality: 79%
                                                            			E004107BB(intOrPtr* __ecx, intOrPtr _a4, signed short _a8, unsigned int _a12) {
				void* _t39;
				void* _t42;
				void* _t48;
				void* _t51;
				void* _t54;
				void* _t56;
				void* _t59;
				intOrPtr _t83;
				WCHAR** _t95;

				_t97 = __ecx;
				_t83 = _a4;
				_t39 = _t83 - 5;
				if(_t39 == 0) {
					_push(_a12 >> 0x10);
					_push(_a12 & 0x0000ffff);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x1c))();
				}
				_t42 = _t39 - 0x41;
				if(_t42 == 0) {
					if( *((intOrPtr*)(__ecx + 0x18)) == 0) {
						return 0;
					}
					_a12[6] = 0;
					SetForegroundWindow(GetDesktopWindow());
					L20:
					return 1;
				}
				_t48 = _t42 - 8;
				if(_t48 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x30))();
				}
				_t51 = _t48 - 5;
				if(_t51 == 0) {
					 *((intOrPtr*)( *__ecx + 0x20))();
					goto L20;
				}
				_t54 = _t51 - 0xbd;
				if(_t54 == 0) {
					_t56 =  *((intOrPtr*)( *__ecx + 0x10))();
					SetEvent( *(__ecx + 0x1c));
					return _t56;
				}
				_t59 = _t54 - 1;
				if(_t59 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x18))();
				}
				if(_t59 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x34))();
				}
				_t95 = _a12;
				if(_t83 !=  *((intOrPtr*)(__ecx + 8))) {
					L11:
					if(_t83 !=  *((intOrPtr*)(_t97 + 0x10))) {
						L15:
						return 0;
					}
					ShowWindow( *(_t97 + 4), 5);
					do {
					} while (PeekMessageW(0,  *(_t97 + 4), 0, 0, 0) != 0);
					 *((intOrPtr*)(_t97 + 0xc)) = MessageBoxW( *(_t97 + 4),  *_t95, _t95[1], _t95[2]);
					SetEvent( *(_t97 + 0x14));
					goto L15;
				}
				ShowWindow( *(__ecx + 4), 5);
				do {
				} while (PeekMessageW(0,  *(_t97 + 4), 0, 0, 0) != 0);
				 *((intOrPtr*)(_t97 + 0xc)) = E0041079E(_t95, _a8 & 0x0000ffff,  *(_t97 + 4));
				SetEvent( *(_t97 + 0x14));
				_t83 = _a4;
				goto L11;
			}












                                                            0x004107c0
                                                            0x004107c2
                                                            0x004107c7
                                                            0x004107ca
                                                            0x00410909
                                                            0x0041090e
                                                            0x0041090f
                                                            0x00000000
                                                            0x00410914
                                                            0x004107d0
                                                            0x004107d3
                                                            0x004108e6
                                                            0x00000000
                                                            0x004108fd
                                                            0x004108eb
                                                            0x004108f5
                                                            0x004108ce
                                                            0x00000000
                                                            0x004108ce
                                                            0x004107d9
                                                            0x004107dc
                                                            0x004108d2
                                                            0x004108d7
                                                            0x00000000
                                                            0x004108dc
                                                            0x004107e2
                                                            0x004107e5
                                                            0x004108cb
                                                            0x00000000
                                                            0x004108cb
                                                            0x004107eb
                                                            0x004107f0
                                                            0x004108b5
                                                            0x004108bd
                                                            0x00000000
                                                            0x004108c3
                                                            0x004107f6
                                                            0x004107f7
                                                            0x004108a2
                                                            0x004108a7
                                                            0x00000000
                                                            0x004108ac
                                                            0x004107ff
                                                            0x00410893
                                                            0x00410898
                                                            0x00000000
                                                            0x0041089d
                                                            0x00410808
                                                            0x0041080e
                                                            0x0041084b
                                                            0x0041084e
                                                            0x0041088b
                                                            0x00000000
                                                            0x0041088d
                                                            0x00410855
                                                            0x0041085b
                                                            0x00410869
                                                            0x00410882
                                                            0x00410885
                                                            0x00000000
                                                            0x00410885
                                                            0x00410815
                                                            0x0041081b
                                                            0x00410829
                                                            0x0041083f
                                                            0x00410842
                                                            0x00410848
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Window$EventMessage$PeekShow$DesktopForeground
                                                            • String ID:
                                                            • API String ID: 492945738-0
                                                            • Opcode ID: 1020dcf3a7cf4a9841e136e5eebde1db1a257eca119acd236c22988f0cc26945
                                                            • Instruction ID: ef53d117bb9aac1f46f3e2f1aa8cb95ae6132c7bce52066b60c1aa11a3ec3fe9
                                                            • Opcode Fuzzy Hash: 1020dcf3a7cf4a9841e136e5eebde1db1a257eca119acd236c22988f0cc26945
                                                            • Instruction Fuzzy Hash: 32417EB4204605EFDB255F64CC58CAABBB9FF08311700491AF85287621C779DD91DF68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417A38, Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 65%
                                                            			E00417A38(intOrPtr __edx, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				DWORD* _v12;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t27;
				void* _t33;
				DWORD* _t38;
				intOrPtr* _t40;
				void* _t42;
				void* _t48;
				long _t51;
				void* _t61;
				struct _SECURITY_ATTRIBUTES* _t62;
				intOrPtr* _t64;
				void* _t65;

				_t58 = __edx;
				_push(_t64);
				E0041871A();
				_t27 = E004186FA(E00418714());
				if(_t27 != 0) {
					_t51 = _a4;
					 *((intOrPtr*)(_t27 + 0x54)) =  *((intOrPtr*)(_t51 + 0x54));
					 *((intOrPtr*)(_t27 + 0x58)) =  *((intOrPtr*)(_t51 + 0x58));
					_t58 =  *((intOrPtr*)(_t51 + 4));
					_push(_t51);
					 *((intOrPtr*)(_t27 + 4)) =  *((intOrPtr*)(_t51 + 4));
					E00418922(_t48, _t61, _t64, __eflags);
				} else {
					_t64 = _a4;
					if(E0041874E(E00418714(), _t64) == 0) {
						ExitThread(GetLastError());
					}
					 *_t64 = GetCurrentThreadId();
				}
				_t73 =  *0x434300;
				if( *0x434300 != 0) {
					_t42 = E0041AFE0(_t73, 0x434300);
					_pop(_t51);
					_t74 = _t42;
					if(_t42 != 0) {
						 *0x434300(); // executed
					}
				}
				E004179F7(_t58, _t61, _t64, _t74); // executed
				asm("int3");
				_push(_t51);
				_push(_t48);
				_push(_t61);
				_t62 = _v0;
				_v20 = 0;
				_t75 = _t62;
				if(_t62 != 0) {
					_push(_t64);
					E0041871A();
					_t65 = E0041AE0D(1, 0x214);
					__eflags = _t65;
					if(__eflags == 0) {
						L16:
						_push(_t65);
						E004174DE(0, _t62, _t65, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E0041AD6E(_v12);
						}
						_t33 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, _t58, _t62, __eflags) + 0x6c)));
						_push(_t65);
						E004187A8(0, _t62, _t65, __eflags);
						 *(_t65 + 4) =  *(_t65 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t65 + 0x58)) = _a12;
						_t38 = _a20;
						 *((intOrPtr*)(_t65 + 0x54)) = _t62;
						__eflags = _t38;
						if(_t38 == 0) {
							_t38 =  &_a8;
						}
						_t33 = CreateThread(_v0, _a4, E00417A38, _t65, _a16, _t38); // executed
						__eflags = _t33;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L16;
						}
					}
				} else {
					_t40 = E0041AD48(_t75);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t40 = 0x16;
					E0041B335(_t58, _t62, _t64);
					_t33 = 0;
				}
				return _t33;
			}





















                                                            0x00417a38
                                                            0x00417a3d
                                                            0x00417a3e
                                                            0x00417a49
                                                            0x00417a50
                                                            0x00417a7c
                                                            0x00417a82
                                                            0x00417a88
                                                            0x00417a8b
                                                            0x00417a8e
                                                            0x00417a8f
                                                            0x00417a92
                                                            0x00417a52
                                                            0x00417a52
                                                            0x00417a63
                                                            0x00417a6c
                                                            0x00417a6c
                                                            0x00417a78
                                                            0x00417a78
                                                            0x00417a97
                                                            0x00417a9e
                                                            0x00417aa5
                                                            0x00417aaa
                                                            0x00417aab
                                                            0x00417aad
                                                            0x00417aaf
                                                            0x00417aaf
                                                            0x00417aad
                                                            0x00417ab5
                                                            0x00417aba
                                                            0x00417ac0
                                                            0x00417ac1
                                                            0x00417ac2
                                                            0x00417ac3
                                                            0x00417ac8
                                                            0x00417acb
                                                            0x00417acd
                                                            0x00417aeb
                                                            0x00417aec
                                                            0x00417afd
                                                            0x00417b01
                                                            0x00417b03
                                                            0x00417b4f
                                                            0x00417b4f
                                                            0x00417b50
                                                            0x00417b56
                                                            0x00417b59
                                                            0x00417b5e
                                                            0x00417b63
                                                            0x00417b64
                                                            0x00417b64
                                                            0x00417b05
                                                            0x00417b0a
                                                            0x00417b0d
                                                            0x00417b0e
                                                            0x00417b16
                                                            0x00417b1a
                                                            0x00417b1d
                                                            0x00417b22
                                                            0x00417b25
                                                            0x00417b27
                                                            0x00417b29
                                                            0x00417b29
                                                            0x00417b3c
                                                            0x00417b42
                                                            0x00417b44
                                                            0x00417b4c
                                                            0x00000000
                                                            0x00417b4c
                                                            0x00417b44
                                                            0x00417acf
                                                            0x00417acf
                                                            0x00417ad4
                                                            0x00417ad5
                                                            0x00417ad6
                                                            0x00417ad7
                                                            0x00417ad8
                                                            0x00417ad9
                                                            0x00417adf
                                                            0x00417ae7
                                                            0x00417ae7
                                                            0x00417b6a

                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 00417A3E
                                                              • Part of subcall function 0041871A: TlsGetValue.KERNEL32(?,00417A43), ref: 00418723
                                                              • Part of subcall function 0041871A: __decode_pointer.LIBCMT ref: 00418735
                                                              • Part of subcall function 0041871A: TlsSetValue.KERNEL32(00000000,00417A43), ref: 00418744
                                                            • ___fls_getvalue@4.LIBCMT ref: 00417A49
                                                              • Part of subcall function 004186FA: TlsGetValue.KERNEL32(?,?,00417A4E,00000000), ref: 00418708
                                                            • ___fls_setvalue@8.LIBCMT ref: 00417A5C
                                                              • Part of subcall function 0041874E: __decode_pointer.LIBCMT ref: 0041875F
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00417A65
                                                            • ExitThread.KERNEL32 ref: 00417A6C
                                                            • GetCurrentThreadId.KERNEL32 ref: 00417A72
                                                            • __freefls@4.LIBCMT ref: 00417A92
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00417AA5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                            • String ID:
                                                            • API String ID: 1925773019-0
                                                            • Opcode ID: ad25c5c030c8e423ef252c91bc7494b41323f4b5739d17432caa5a6650f4ba42
                                                            • Instruction ID: 23fa8d03a6744e6ba2d29b3b09d89d6d24b2700031a043de03642765a198108a
                                                            • Opcode Fuzzy Hash: ad25c5c030c8e423ef252c91bc7494b41323f4b5739d17432caa5a6650f4ba42
                                                            • Instruction Fuzzy Hash: F8014474504201ABC714AF72DC499DE7BB9AF44359720852EB80587252DF3CD9C2C66D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040255F, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 431COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 608 40255f-4025a0 call 416b54 call 40222c 613 4025a2-4025a5 608->613 614 4025a8-4025ab 608->614 613->614 615 4025c5-4025e0 614->615 616 4025ad-4025b6 614->616 619 4025e3-4025e9 615->619 617 4025b8-4025ba 616->617 618 4025be-4025c0 616->618 617->618 620 402aec-402afe 618->620 621 4026cf-4026e2 619->621 622 4025ef-4025f3 619->622 630 4026e4-4026f3 call 40232f 621->630 631 402708-402736 call 4019b6 call 408bd0 621->631 623 4025f5-4025f8 622->623 624 4025fb-40260a 622->624 623->624 626 402634-402639 624->626 627 40260c-40262f call 4022af call 40251f call 408bc5 624->627 628 402647-40268b call 4022af call 40251f call 408bc5 call 4023e2 626->628 629 40263b-402645 626->629 650 4026c5-4026ca 627->650 633 40268e-4026a4 628->633 629->628 629->633 645 4026f5-4026f9 630->645 658 402743 631->658 659 402738-402741 call 40acf5 631->659 640 4026a7-4026ae 633->640 646 4026b0-4026c0 call 40220a 640->646 647 4026c2 640->647 652 402701-402703 645->652 653 4026fb-4026fd 645->653 646->640 647->650 650->619 652->620 653->652 662 402745-402766 call 40222c call 40ac22 658->662 659->662 671 402769-40278c call 40ac17 662->671 674 4027c4-4027c7 671->674 675 40278e-402797 671->675 676 4027c9-4027d2 674->676 677 4027ff-40282a call 408bd0 674->677 678 402799-40279b 675->678 679 40279f-4027bf call 40246d call 40232f 675->679 682 4027d4-4027d6 676->682 683 4027da-4027e4 call 40246d 676->683 687 402838 677->687 688 40282c-402836 call 402b81 677->688 678->679 679->645 682->683 690 4027e9-4027f8 call 40232f 683->690 693 40283b-402856 call 40222c 687->693 688->693 690->677 699 402864-402883 call 402f5c 693->699 700 402858-402861 693->700 702 402888-40288c 699->702 700->699 703 4028e3-4028e6 702->703 704 40288e-402897 702->704 705 402aa7-402ab0 703->705 706 4028ec-40292b call 40242e call 402280 703->706 707 402899-40289b 704->707 708 40289f-4028a8 704->708 711 402ab2-402ab4 705->711 712 402ab8-402adc 705->712 720 40293b-402971 call 401adb 706->720 721 40292d-402938 706->721 707->708 709 4028b0-4028d4 call 40246d call 40232f 708->709 710 4028aa-4028ac 708->710 724 4028d6-4028d8 709->724 725 4028dc-4028de 709->725 710->709 711->712 712->671 727 4029c2-4029c8 720->727 728 402973 720->728 721->720 724->725 725->620 729 4029e3-4029e5 727->729 730 4029ca-4029cd 727->730 731 402976-402978 728->731 733 4029f0-4029fc 729->733 734 4029e7-4029ee 729->734 732 4029cf-4029df call 402ef1 730->732 731->732 737 40297a-40297c 732->737 743 4029e1 732->743 733->731 735 402a02-402a9f 733->735 734->737 735->705 742 402aa1-402aa3 735->742 739 402984-40298d 737->739 740 40297e-402980 737->740 739->675 744 402993-402999 739->744 740->739 742->705 746 4029a2-4029a4 743->746 747 4029a8-4029b1 743->747 744->675 746->747 749 4029b3-4029b5 747->749 750 4029b9-4029bd 747->750 749->750 750->712
                                                            C-Code - Quality: 87%
                                                            			E0040255F(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t241;
				signed int _t244;
				signed int _t245;
				void* _t246;
				intOrPtr _t248;
				signed int _t255;
				signed int _t259;
				intOrPtr _t261;
				signed int _t262;
				signed int _t263;
				signed int _t273;
				signed int _t274;
				intOrPtr _t278;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t286;
				signed int _t287;
				signed int _t292;
				signed int _t295;
				signed int _t298;
				signed int _t299;
				signed int _t302;
				signed int _t308;
				signed int _t311;
				signed int _t316;
				intOrPtr _t323;
				signed int _t338;
				signed int _t339;
				intOrPtr _t341;
				signed int _t361;
				intOrPtr _t391;
				intOrPtr _t399;
				signed int _t402;
				signed int _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr _t408;
				signed int _t411;
				void* _t414;
				signed int _t415;
				signed int _t417;
				intOrPtr _t418;
				void* _t419;
				void* _t429;

				_t399 = __edx;
				_push(0xb8);
				_t241 = E00416B54(E00420E32, __ebx, __edi, __esi);
				_t402 = 0;
				 *((intOrPtr*)(_t419 - 4)) = 0;
				 *((char*)(_t419 + 8)) = _t241 & 0xffffff00 |  *(_t419 + 0x6c) != 0x00000000;
				E0040222C(_t419 + 0x70,  *(_t419 + 0x70));
				_t338 =  *(_t419 + 0x60);
				 *((char*)(_t419 + 0x6f)) =  *((intOrPtr*)(_t419 + 0x68)) == 0xffffffff;
				 *(_t419 + 0x44) = 0;
				 *((intOrPtr*)(_t419 + 0x48)) = 0;
				if( *((char*)(_t419 + 0x6f)) != 0) {
					 *((intOrPtr*)(_t419 + 0x68)) =  *((intOrPtr*)(_t338 + 0x7c));
				}
				if( *((intOrPtr*)(_t419 + 0x68)) != _t402) {
					 *(_t419 + 0x30) = _t402;
					 *(_t419 + 0x34) = _t402;
					 *(_t419 + 0x38) = _t402;
					 *((intOrPtr*)(_t419 + 0x3c)) = 4;
					 *((intOrPtr*)(_t419 + 0x2c)) = 0x423428;
					 *((char*)(_t419 - 4)) = 2;
					 *(_t419 + 0x54) = _t402;
					while(1) {
						_t244 =  *(_t419 + 0x54);
						__eflags = _t244 -  *((intOrPtr*)(_t419 + 0x68));
						if(_t244 >=  *((intOrPtr*)(_t419 + 0x68))) {
							break;
						}
						__eflags =  *((char*)(_t419 + 0x6f));
						if( *((char*)(_t419 + 0x6f)) == 0) {
							_t244 =  *( *(_t419 + 0x64) + _t244 * 4);
						}
						_t417 =  *( *((intOrPtr*)(_t338 + 0x1c8)) + _t244 * 4);
						 *(_t419 + 0x4c) = _t244;
						__eflags = _t417 - 0xffffffff;
						if(__eflags != 0) {
							_t316 =  *(_t419 + 0x34);
							__eflags = _t316 - _t402;
							if(__eflags == 0) {
								L15:
								_push(_t417);
								_push(0xffffffff);
								_push(E004022AF(_t338, _t419 - 0x38, _t399, _t402, _t417, __eflags));
								_t49 = _t419 + 0x2c; // 0x423428
								 *((char*)(_t419 - 4)) = 4;
								E0040251F(_t338, _t49, _t402, _t417, __eflags);
								 *((char*)(_t419 - 4)) = 2;
								E00408BC5(_t419 - 0x30);
								_t391 = E004023E2( *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x58)) + _t417 * 4)));
								_t58 = _t419 + 0x44;
								 *_t58 =  *(_t419 + 0x44) + _t391;
								__eflags =  *_t58;
								_t323 =  *((intOrPtr*)( *(_t419 + 0x38) +  *(_t419 + 0x34) * 4 - 4));
								 *((intOrPtr*)(_t323 + 0x20)) = _t391;
								asm("adc [ebp+0x48], edx");
								 *((intOrPtr*)(_t323 + 0x24)) = _t399;
								L16:
								_t408 =  *((intOrPtr*)( *(_t419 + 0x38) +  *(_t419 + 0x34) * 4 - 4));
								_t341 =  *((intOrPtr*)( *((intOrPtr*)( *(_t419 + 0x60) + 0x1b4)) + _t417 * 4));
								_t418 =  *((intOrPtr*)(_t408 + 0x10));
								while(1) {
									_t328 =  *(_t419 + 0x4c) - _t341;
									__eflags = _t418 -  *(_t419 + 0x4c) - _t341;
									if(_t418 >  *(_t419 + 0x4c) - _t341) {
										break;
									}
									_t78 = _t408 + 8; // 0xa
									E0040220A(_t78, (_t328 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t418 = _t418 + 1;
								}
								_t338 =  *(_t419 + 0x60);
								goto L20;
							}
							__eflags = _t417 -  *((intOrPtr*)( *((intOrPtr*)( *(_t419 + 0x38) + _t316 * 4 - 4)) + 4));
							if(__eflags == 0) {
								goto L16;
							}
							goto L15;
						} else {
							_push(_t417);
							_push(_t244);
							_push(E004022AF(_t338, _t419 - 0x38, _t399, _t402, _t417, __eflags));
							_t38 = _t419 + 0x2c; // 0x423428
							 *((char*)(_t419 - 4)) = 3;
							E0040251F(_t338, _t38, _t402, _t417, __eflags);
							 *((char*)(_t419 - 4)) = 2;
							E00408BC5(_t419 - 0x30);
							L20:
							 *(_t419 + 0x54) =  *(_t419 + 0x54) + 1;
							_t402 = 0;
							continue;
						}
					}
					_t245 =  *(_t419 + 0x70);
					_t246 =  *((intOrPtr*)( *_t245 + 0xc))(_t245,  *(_t419 + 0x44),  *((intOrPtr*)(_t419 + 0x48)));
					_t410 = _t246;
					__eflags = _t246 - _t402;
					if(__eflags == 0) {
						E004019B6(_t419 - 0xc4, __eflags, 1);
						 *((char*)(_t419 - 4)) = 5;
						 *(_t419 + 0x1c) = _t402;
						 *(_t419 + 0x20) = _t402;
						 *(_t419 + 0x24) = _t402;
						 *(_t419 + 0x28) = _t402;
						_t248 = E00408BD0(_t338, _t402, __eflags, 0x38);
						 *((intOrPtr*)(_t419 + 0x68)) = _t248;
						 *((char*)(_t419 - 4)) = 6;
						__eflags = _t248 - _t402;
						if(_t248 == _t402) {
							_t411 = 0;
							__eflags = 0;
						} else {
							_t411 = E0040ACF5(_t248);
						}
						 *((char*)(_t419 - 4)) = 5;
						 *((intOrPtr*)(_t419 + 0x48)) = _t411;
						E0040222C(_t419 + 0x50, _t411);
						_push(_t402);
						 *((char*)(_t419 - 4)) = 7;
						E0040AC22(_t411,  *(_t419 + 0x70));
						_t403 = 0;
						__eflags = 0;
						 *(_t419 + 0x4c) = 0;
						while(1) {
							 *(_t411 + 0x28) =  *(_t419 + 0x24);
							 *(_t411 + 0x2c) =  *(_t419 + 0x28);
							 *(_t411 + 0x20) =  *(_t419 + 0x1c);
							 *(_t411 + 0x24) =  *(_t419 + 0x20);
							_t255 = E0040AC17(_t411);
							_t412 = _t255;
							__eflags = _t255;
							if(_t255 != 0) {
								break;
							}
							__eflags = _t403 -  *(_t419 + 0x34);
							if(__eflags < 0) {
								_t404 =  *((intOrPtr*)( *(_t419 + 0x38) + _t403 * 4));
								 *((intOrPtr*)(_t419 + 0xc)) =  *((intOrPtr*)(_t404 + 0x20));
								 *((intOrPtr*)(_t419 + 0x10)) =  *((intOrPtr*)(_t404 + 0x24));
								 *((intOrPtr*)(_t419 + 0x14)) = 0;
								 *((intOrPtr*)(_t419 + 0x18)) = 0;
								_t259 = E00408BD0(_t338, _t404, __eflags, 0x38);
								 *(_t419 + 0x40) = _t259;
								 *((char*)(_t419 - 4)) = 8;
								__eflags = _t259;
								if(__eflags == 0) {
									 *(_t419 + 0x54) = 0;
								} else {
									 *(_t419 + 0x54) = E00402B81(_t338, _t259, _t404, 0, __eflags);
								}
								_t350 = _t419 + 0x6c;
								 *((char*)(_t419 - 4)) = 7;
								E0040222C(_t419 + 0x6c,  *(_t419 + 0x54));
								_t261 =  *_t404;
								 *((char*)(_t419 - 4)) = 9;
								_t414 = _t338 + 0x10;
								__eflags = _t261 - 0xffffffff;
								if(_t261 == 0xffffffff) {
									_t350 =  *(_t414 + 0x1a4);
									_t261 =  *((intOrPtr*)( *(_t414 + 0x1a4) +  *(_t404 + 4) * 4));
								}
								__eflags =  *(_t338 + 0x1e4);
								_t262 = E00402F5C(_t338,  *(_t419 + 0x54), _t404, _t414, 0, _t261, _t404 + 8,  *(_t419 + 0x70),  *((intOrPtr*)(_t419 + 8)), (_t350 & 0xffffff00 |  *(_t338 + 0x1e4) != 0x00000000) & 0x000000ff); // executed
								_t339 = _t262;
								__eflags = _t339;
								if(_t339 == 0) {
									__eflags =  *_t404 - 0xffffffff;
									if( *_t404 != 0xffffffff) {
										L76:
										_t263 =  *(_t419 + 0x6c);
										 *((char*)(_t419 - 4)) = 7;
										__eflags = _t263;
										if(_t263 != 0) {
											 *((intOrPtr*)( *_t263 + 8))(_t263);
										}
										L78:
										 *(_t419 + 0x4c) =  *(_t419 + 0x4c) + 1;
										 *(_t419 + 0x24) =  *(_t419 + 0x24) +  *((intOrPtr*)(_t419 + 0xc));
										_t338 =  *(_t419 + 0x60);
										asm("adc [ebp+0x28], eax");
										 *(_t419 + 0x1c) =  *(_t419 + 0x1c) +  *((intOrPtr*)(_t419 + 0x14));
										_t411 =  *((intOrPtr*)(_t419 + 0x48));
										asm("adc [ebp+0x20], eax");
										_t403 =  *(_t419 + 0x4c);
										continue;
									}
									_t406 =  *(_t404 + 4);
									 *(_t419 + 0x40) =  *( *((intOrPtr*)(_t414 + 0x48)) + _t406 * 4);
									 *((intOrPtr*)(_t419 + 0x14)) = E0040242E(_t414, _t406);
									_t338 =  *( *((intOrPtr*)(_t414 + 0x190)) + _t406 * 4);
									 *((intOrPtr*)(_t419 + 0x18)) = _t399;
									_t273 = E00402280(_t414, _t406, 0);
									 *(_t419 + 0x64) =  *(_t419 + 0x64) & 0x00000000;
									_t403 = _t273;
									 *((intOrPtr*)(_t419 + 4)) = _t399;
									_t274 =  *(_t419 + 0x70);
									 *((char*)(_t419 - 4)) = 0xa;
									__eflags = _t274;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t274))(_t274, 0x424174, _t419 + 0x64);
									}
									_t399 = _t419 + 0x6b;
									_push(_t399);
									_push( *(_t419 + 0x64));
									_push( *(_t419 + 0x50));
									 *((char*)(_t419 - 4)) = 0xb;
									_push( *(_t419 + 0x6c));
									_push( *(_t419 + 0x40));
									_push( *((intOrPtr*)(_t414 + 0xc)) + _t338 * 8);
									_push( *((intOrPtr*)(_t419 + 4)));
									_push(_t403);
									_push( *((intOrPtr*)( *(_t419 + 0x60) + 8)));
									_t415 = E00401ADB(_t338, _t419 - 0xc4, _t403, _t414, __eflags);
									__eflags = _t415 - 1;
									if(_t415 != 1) {
										__eflags = _t415 - 0x80004001;
										if(_t415 != 0x80004001) {
											__eflags = _t415;
											if(_t415 == 0) {
												_t361 =  *(_t419 + 0x54);
												_t278 =  *((intOrPtr*)(_t361 + 0x18));
												__eflags =  *((intOrPtr*)(_t361 + 0x28)) -  *((intOrPtr*)(_t278 + 8));
												if( *((intOrPtr*)(_t361 + 0x28)) !=  *((intOrPtr*)(_t278 + 8))) {
													goto L56;
												}
												 *((intOrPtr*)(_t419 - 4)) = 9;
												_t295 =  *(_t419 + 0x64);
												__eflags = _t295;
												if(_t295 != 0) {
													 *((intOrPtr*)( *_t295 + 8))(_t295);
												}
												goto L76;
											}
											_t281 =  *(_t419 + 0x64);
											 *((char*)(_t419 - 4)) = 9;
											goto L57;
										}
										_t361 =  *(_t419 + 0x54);
										_push(1);
										goto L68;
									} else {
										_t361 =  *(_t419 + 0x54);
										L56:
										_push(2);
										L68:
										_t415 = E00402EF1(_t338, _t361, _t403, _t419);
										_t281 =  *(_t419 + 0x64);
										 *((char*)(_t419 - 4)) = 9;
										__eflags = _t415;
										if(_t415 != 0) {
											L57:
											__eflags = _t281;
											if(_t281 != 0) {
												 *((intOrPtr*)( *_t281 + 8))(_t281);
											}
											_t282 =  *(_t419 + 0x6c);
											 *((char*)(_t419 - 4)) = 7;
											__eflags = _t282;
											if(_t282 != 0) {
												 *((intOrPtr*)( *_t282 + 8))(_t282);
											}
											break;
										}
										__eflags = _t281;
										if(_t281 != 0) {
											 *((intOrPtr*)( *_t281 + 8))(_t281);
										}
										_t292 =  *(_t419 + 0x6c);
										 *((char*)(_t419 - 4)) = 7;
										__eflags = _t292;
										if(_t292 != 0) {
											 *((intOrPtr*)( *_t292 + 8))(_t292);
										}
										 *((char*)(_t419 - 4)) = 7;
										goto L78;
									}
								} else {
									_t298 =  *(_t419 + 0x6c);
									 *((char*)(_t419 - 4)) = 7;
									__eflags = _t298;
									if(_t298 != 0) {
										 *((intOrPtr*)( *_t298 + 8))(_t298);
									}
									_t299 =  *(_t419 + 0x50);
									 *((char*)(_t419 - 4)) = 5;
									__eflags = _t299;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t299 + 8))(_t299);
									}
									 *((char*)(_t419 - 4)) = 2;
									E0040246D(_t419 - 0xc4, _t414, __eflags);
									_t167 = _t419 + 0x2c; // 0x423428
									 *((char*)(_t419 - 4)) = 1;
									E0040232F(_t339, _t167, _t404, _t414, __eflags);
									_t302 =  *(_t419 + 0x70);
									 *((char*)(_t419 - 4)) = 0;
									__eflags = _t302;
									if(_t302 != 0) {
										 *((intOrPtr*)( *_t302 + 8))(_t302);
									}
									_t287 = _t339;
									goto L79;
								}
							}
							_t308 =  *(_t419 + 0x50);
							 *((char*)(_t419 - 4)) = 5;
							__eflags = _t308;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t308 + 8))(_t308);
							}
							 *((char*)(_t419 - 4)) = 2;
							E0040246D(_t419 - 0xc4, _t412, __eflags);
							_t127 = _t419 + 0x2c; // 0x423428
							 *((char*)(_t419 - 4)) = 1;
							E0040232F(_t338, _t127, _t403, _t412, __eflags);
							_t311 =  *(_t419 + 0x70);
							__eflags = _t311;
							goto L4;
						}
						_t283 =  *(_t419 + 0x50);
						 *((char*)(_t419 - 4)) = 5;
						__eflags = _t283;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t283 + 8))(_t283);
						}
						 *((char*)(_t419 - 4)) = 2;
						E0040246D(_t419 - 0xc4, _t415, __eflags);
						_t118 = _t419 + 0x2c; // 0x423428
						 *((char*)(_t419 - 4)) = 1;
						E0040232F(_t338, _t118, _t403, _t415, __eflags);
						_t286 =  *(_t419 + 0x70);
						__eflags = _t286;
						L23:
						 *((char*)(_t419 - 4)) = 0;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t286 + 8))(_t286);
						}
						_t287 = _t415;
						goto L79;
					}
					_t86 = _t419 + 0x2c; // 0x423428
					 *((char*)(_t419 - 4)) = 1;
					E0040232F(_t338, _t86, _t402, _t410, __eflags);
					_t286 =  *(_t419 + 0x70);
					__eflags = _t286 - _t402;
					goto L23;
				} else {
					_t311 =  *(_t419 + 0x70);
					_t429 = _t311 - _t402;
					L4:
					 *((char*)(_t419 - 4)) = 0;
					if(_t429 != 0) {
						 *((intOrPtr*)( *_t311 + 8))(_t311);
					}
					_t287 = 0;
					L79:
					 *[fs:0x0] =  *((intOrPtr*)(_t419 - 0xc));
					return _t287;
				}
			}

















































                                                            0x0040255f
                                                            0x00402563
                                                            0x0040256d
                                                            0x00402575
                                                            0x00402580
                                                            0x00402583
                                                            0x00402586
                                                            0x0040258f
                                                            0x00402592
                                                            0x0040259a
                                                            0x0040259d
                                                            0x004025a0
                                                            0x004025a5
                                                            0x004025a5
                                                            0x004025ab
                                                            0x004025c5
                                                            0x004025c8
                                                            0x004025cb
                                                            0x004025ce
                                                            0x004025d5
                                                            0x004025dc
                                                            0x004025e0
                                                            0x004025e3
                                                            0x004025e3
                                                            0x004025e6
                                                            0x004025e9
                                                            0x00000000
                                                            0x00000000
                                                            0x004025ef
                                                            0x004025f3
                                                            0x004025f8
                                                            0x004025f8
                                                            0x00402601
                                                            0x00402604
                                                            0x00402607
                                                            0x0040260a
                                                            0x00402634
                                                            0x00402637
                                                            0x00402639
                                                            0x00402647
                                                            0x00402647
                                                            0x00402648
                                                            0x00402652
                                                            0x00402653
                                                            0x00402656
                                                            0x0040265a
                                                            0x00402662
                                                            0x00402666
                                                            0x00402679
                                                            0x0040267e
                                                            0x0040267e
                                                            0x0040267e
                                                            0x00402681
                                                            0x00402685
                                                            0x00402688
                                                            0x0040268b
                                                            0x0040268e
                                                            0x00402694
                                                            0x004026a1
                                                            0x004026a4
                                                            0x004026a7
                                                            0x004026aa
                                                            0x004026ac
                                                            0x004026ae
                                                            0x00000000
                                                            0x00000000
                                                            0x004026b7
                                                            0x004026ba
                                                            0x004026bf
                                                            0x004026bf
                                                            0x004026c2
                                                            0x00000000
                                                            0x004026c2
                                                            0x00402642
                                                            0x00402645
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040260c
                                                            0x0040260c
                                                            0x0040260d
                                                            0x00402616
                                                            0x00402617
                                                            0x0040261a
                                                            0x0040261e
                                                            0x00402626
                                                            0x0040262a
                                                            0x004026c5
                                                            0x004026c5
                                                            0x004026c8
                                                            0x00000000
                                                            0x004026c8
                                                            0x0040260a
                                                            0x004026d2
                                                            0x004026db
                                                            0x004026de
                                                            0x004026e0
                                                            0x004026e2
                                                            0x00402710
                                                            0x00402717
                                                            0x0040271b
                                                            0x0040271e
                                                            0x00402721
                                                            0x00402724
                                                            0x00402727
                                                            0x0040272d
                                                            0x00402730
                                                            0x00402734
                                                            0x00402736
                                                            0x00402743
                                                            0x00402743
                                                            0x00402738
                                                            0x0040273f
                                                            0x0040273f
                                                            0x00402749
                                                            0x0040274d
                                                            0x00402750
                                                            0x00402755
                                                            0x0040275b
                                                            0x0040275f
                                                            0x00402764
                                                            0x00402764
                                                            0x00402766
                                                            0x00402769
                                                            0x0040276c
                                                            0x00402772
                                                            0x00402778
                                                            0x00402780
                                                            0x00402783
                                                            0x00402788
                                                            0x0040278a
                                                            0x0040278c
                                                            0x00000000
                                                            0x00000000
                                                            0x004027c4
                                                            0x004027c7
                                                            0x00402802
                                                            0x00402808
                                                            0x00402812
                                                            0x00402815
                                                            0x00402818
                                                            0x0040281b
                                                            0x00402821
                                                            0x00402824
                                                            0x00402828
                                                            0x0040282a
                                                            0x00402838
                                                            0x0040282c
                                                            0x00402833
                                                            0x00402833
                                                            0x0040283e
                                                            0x00402841
                                                            0x00402845
                                                            0x0040284a
                                                            0x0040284c
                                                            0x00402850
                                                            0x00402853
                                                            0x00402856
                                                            0x0040285b
                                                            0x00402861
                                                            0x00402861
                                                            0x00402864
                                                            0x00402883
                                                            0x00402888
                                                            0x0040288a
                                                            0x0040288c
                                                            0x004028e3
                                                            0x004028e6
                                                            0x00402aa7
                                                            0x00402aa7
                                                            0x00402aaa
                                                            0x00402aae
                                                            0x00402ab0
                                                            0x00402ab5
                                                            0x00402ab5
                                                            0x00402ab8
                                                            0x00402ab8
                                                            0x00402abe
                                                            0x00402ac4
                                                            0x00402ac7
                                                            0x00402acd
                                                            0x00402ad3
                                                            0x00402ad6
                                                            0x00402ad9
                                                            0x00000000
                                                            0x00402ad9
                                                            0x004028ec
                                                            0x004028f8
                                                            0x00402900
                                                            0x00402909
                                                            0x00402911
                                                            0x00402914
                                                            0x00402919
                                                            0x0040291d
                                                            0x0040291f
                                                            0x00402922
                                                            0x00402925
                                                            0x00402929
                                                            0x0040292b
                                                            0x00402939
                                                            0x00402939
                                                            0x00402944
                                                            0x00402947
                                                            0x00402948
                                                            0x0040294e
                                                            0x00402951
                                                            0x00402955
                                                            0x00402958
                                                            0x0040295b
                                                            0x0040295c
                                                            0x0040295f
                                                            0x00402960
                                                            0x0040296c
                                                            0x0040296e
                                                            0x00402971
                                                            0x004029c2
                                                            0x004029c8
                                                            0x004029e3
                                                            0x004029e5
                                                            0x004029f0
                                                            0x004029f3
                                                            0x004029f9
                                                            0x004029fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00402a02
                                                            0x00402a9a
                                                            0x00402a9d
                                                            0x00402a9f
                                                            0x00402aa4
                                                            0x00402aa4
                                                            0x00000000
                                                            0x00402a9f
                                                            0x004029e7
                                                            0x004029ea
                                                            0x00000000
                                                            0x004029ea
                                                            0x004029ca
                                                            0x004029cd
                                                            0x00000000
                                                            0x00402973
                                                            0x00402973
                                                            0x00402976
                                                            0x00402976
                                                            0x004029cf
                                                            0x004029d4
                                                            0x004029d6
                                                            0x004029d9
                                                            0x004029dd
                                                            0x004029df
                                                            0x0040297a
                                                            0x0040297a
                                                            0x0040297c
                                                            0x00402981
                                                            0x00402981
                                                            0x00402984
                                                            0x00402987
                                                            0x0040298b
                                                            0x0040298d
                                                            0x00402996
                                                            0x00402996
                                                            0x00000000
                                                            0x0040298d
                                                            0x0040299e
                                                            0x004029a0
                                                            0x004029a5
                                                            0x004029a5
                                                            0x004029a8
                                                            0x004029ab
                                                            0x004029af
                                                            0x004029b1
                                                            0x004029b6
                                                            0x004029b6
                                                            0x004029b9
                                                            0x00000000
                                                            0x004029b9
                                                            0x0040288e
                                                            0x0040288e
                                                            0x00402891
                                                            0x00402895
                                                            0x00402897
                                                            0x0040289c
                                                            0x0040289c
                                                            0x0040289f
                                                            0x004028a2
                                                            0x004028a6
                                                            0x004028a8
                                                            0x004028ad
                                                            0x004028ad
                                                            0x004028b6
                                                            0x004028ba
                                                            0x004028bf
                                                            0x004028c2
                                                            0x004028c6
                                                            0x004028cb
                                                            0x004028ce
                                                            0x004028d2
                                                            0x004028d4
                                                            0x004028d9
                                                            0x004028d9
                                                            0x004028dc
                                                            0x00000000
                                                            0x004028dc
                                                            0x0040288c
                                                            0x004027c9
                                                            0x004027cc
                                                            0x004027d0
                                                            0x004027d2
                                                            0x004027d7
                                                            0x004027d7
                                                            0x004027e0
                                                            0x004027e4
                                                            0x004027e9
                                                            0x004027ec
                                                            0x004027f0
                                                            0x004027f5
                                                            0x004027f8
                                                            0x00000000
                                                            0x004027f8
                                                            0x0040278e
                                                            0x00402791
                                                            0x00402795
                                                            0x00402797
                                                            0x0040279c
                                                            0x0040279c
                                                            0x004027a5
                                                            0x004027a9
                                                            0x004027ae
                                                            0x004027b1
                                                            0x004027b5
                                                            0x004027ba
                                                            0x004027bd
                                                            0x004026f5
                                                            0x004026f5
                                                            0x004026f9
                                                            0x004026fe
                                                            0x004026fe
                                                            0x00402701
                                                            0x00000000
                                                            0x00402701
                                                            0x004026e4
                                                            0x004026e7
                                                            0x004026eb
                                                            0x004026f0
                                                            0x004026f3
                                                            0x00000000
                                                            0x004025ad
                                                            0x004025ad
                                                            0x004025b0
                                                            0x004025b2
                                                            0x004025b2
                                                            0x004025b6
                                                            0x004025bb
                                                            0x004025bb
                                                            0x004025be
                                                            0x00402aec
                                                            0x00402aef
                                                            0x00402afe
                                                            0x00402afe

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Task_impl$H_prolog3_catch
                                                            • String ID: (4B
                                                            • API String ID: 3201307039-3941014785
                                                            • Opcode ID: 7dd698598920f49c7f00bcb4c319b7e72603d0c720e5309275cb43d7f27d00b5
                                                            • Instruction ID: f0288910dd9c909d91c94d4f3f33727955864a049ee0700389af622be2fa39fd
                                                            • Opcode Fuzzy Hash: 7dd698598920f49c7f00bcb4c319b7e72603d0c720e5309275cb43d7f27d00b5
                                                            • Instruction Fuzzy Hash: DD026C70A00248DFDB11DF68CA88A9D7BB5AF58304F1441AAFC09A73D2CBB9ED45CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040543E, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 272COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 751 40543e-40554d call 416b21 call 4053bf call 4019b6 758 405553-40555f 751->758 759 4056af-4056b9 call 40246d 751->759 760 405569-4055af call 404e08 call 408bfb call 4023e2 758->760 763 4056be-40571d call 408bc5 * 4 call 403264 call 408bc5 * 3 759->763 774 405734 call 403c2e 760->774 775 4055b5-4055b7 760->775 811 40571f-405731 763->811 780 405739-405742 774->780 775->774 778 4055bd-4055cf call 40140a call 408bd0 775->778 794 4055d1-4055dc 778->794 795 4055de 778->795 783 405744-405746 780->783 784 40574a-4057bb call 40246d call 408bc5 * 4 call 403264 call 408bc5 * 3 780->784 783->784 784->811 798 4055e0-40562f call 40222c call 401adb 794->798 795->798 798->780 813 405635-40563b 798->813 814 405657-405660 813->814 815 40563d-405651 call 40c9e9 813->815 818 405662 814->818 819 40568f-405698 814->819 815->774 815->814 823 405665-40568a 818->823 824 4056a0-4056a9 819->824 825 40569a-40569c 819->825 823->823 827 40568c 823->827 824->759 824->760 825->824 827->819
                                                            C-Code - Quality: 90%
                                                            			E0040543E(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				intOrPtr _t199;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr* _t220;
				intOrPtr _t227;
				intOrPtr* _t230;
				intOrPtr _t233;
				void* _t237;
				intOrPtr _t242;
				intOrPtr _t277;
				signed int _t279;
				intOrPtr _t280;
				intOrPtr* _t282;
				intOrPtr* _t286;
				intOrPtr _t288;
				intOrPtr* _t290;
				intOrPtr* _t291;
				void* _t296;

				_t296 = __eflags;
				_push(0x10c);
				E00416B21(E00421214, __ebx, __edi, __esi);
				_t282 = __ecx;
				 *((intOrPtr*)(_t291 + 0x1c)) = 0;
				 *((intOrPtr*)(_t291 + 0x20)) = 0;
				 *((intOrPtr*)(_t291 + 0x24)) = 0;
				 *((intOrPtr*)(_t291 + 0x28)) = 8;
				 *((intOrPtr*)(_t291 + 0x18)) = 0x423384;
				_t279 = 0x42341c;
				 *(_t291 - 4) = 0;
				 *((intOrPtr*)(_t291 - 0x58)) = 0;
				 *((intOrPtr*)(_t291 - 0x54)) = 0;
				 *((intOrPtr*)(_t291 - 0x50)) = 0;
				 *((intOrPtr*)(_t291 - 0x4c)) = 1;
				 *(_t291 - 0x5c) = 0x42341c;
				_t242 = 4;
				 *((intOrPtr*)(_t291 - 0x6c)) = 0;
				 *((intOrPtr*)(_t291 - 0x68)) = 0;
				 *((intOrPtr*)(_t291 - 0x64)) = 0;
				 *((intOrPtr*)(_t291 - 0x60)) = _t242;
				 *((intOrPtr*)(_t291 - 0x70)) = 0x423358;
				 *((intOrPtr*)(_t291 + 0x30)) = 0;
				 *((intOrPtr*)(_t291 + 0x34)) = 0;
				 *((intOrPtr*)(_t291 + 0x38)) = 0;
				 *((intOrPtr*)(_t291 + 0x3c)) = _t242;
				 *((intOrPtr*)(_t291 + 0x2c)) = 0x423498;
				 *((intOrPtr*)(_t291 - 0x44)) = 0;
				 *((intOrPtr*)(_t291 - 0x40)) = 0;
				 *((intOrPtr*)(_t291 - 0x3c)) = 0;
				 *((intOrPtr*)(_t291 - 0x38)) = _t242;
				 *((intOrPtr*)(_t291 - 0x48)) = 0x423358;
				 *((intOrPtr*)(_t291 - 0x1c)) = 0;
				 *((intOrPtr*)(_t291 - 0x18)) = 0;
				 *((intOrPtr*)(_t291 - 0x14)) = 0;
				 *((intOrPtr*)(_t291 - 0x10)) = 8;
				 *((intOrPtr*)(_t291 - 0x20)) = 0x423384;
				 *((intOrPtr*)(_t291 - 0x30)) = 0;
				 *((intOrPtr*)(_t291 - 0x2c)) = 0;
				 *((intOrPtr*)(_t291 - 0x28)) = 0;
				 *((intOrPtr*)(_t291 - 0x24)) = 1;
				 *(_t291 - 0x34) = 0x42341c;
				 *((intOrPtr*)(_t291 + 4)) = 0;
				 *((intOrPtr*)(_t291 + 8)) = 0;
				 *((intOrPtr*)(_t291 + 0xc)) = 0;
				 *((intOrPtr*)(_t291 + 0x10)) = _t242;
				 *_t291 = 0x423358;
				_t286 =  *((intOrPtr*)(_t291 + 0x64));
				 *(_t291 - 4) = 7;
				E004053BF(0, __ecx, 0x42341c, 0, _t286, _t291 + 0x18, _t291 - 0x5c, _t291 - 0x70, _t291 + 0x2c, _t291 - 0x48, _t291 - 0x20, _t291 - 0x34, _t291);
				 *(_t291 + 0x40) = 0;
				E004019B6(_t291 - 0x118, _t296, 1);
				 *((intOrPtr*)(_t291 + 0x44)) =  *_t286 +  *((intOrPtr*)(_t291 + 0x5c));
				asm("adc eax, [ebp+0x60]");
				_t297 =  *((intOrPtr*)(_t291 + 0x34));
				 *((intOrPtr*)(_t291 + 0x48)) =  *((intOrPtr*)(_t286 + 4));
				 *(_t291 + 0x60) = 0;
				if( *((intOrPtr*)(_t291 + 0x34)) <= 0) {
					L17:
					 *(_t291 - 4) = 7;
					E0040246D(_t291 - 0x118, _t286, _t307); // executed
					 *(_t291 - 4) = 6;
					E00408BC5(_t291);
					 *(_t291 - 4) = 5;
					E00408BC5(_t291 - 0x34);
					 *(_t291 - 4) = 4;
					E00408BC5(_t291 - 0x20);
					 *(_t291 - 4) = 3;
					E00408BC5(_t291 - 0x48);
					 *(_t291 - 4) = 2;
					E00403264(0, _t291 + 0x2c, _t282, _t286, _t307);
					 *(_t291 - 4) = 1;
					E00408BC5(_t291 - 0x70);
					 *(_t291 - 4) = 0;
					E00408BC5(_t291 - 0x5c);
					 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
					E00408BC5(_t291 + 0x18);
					_t199 = 0;
					L18:
					 *[fs:0x0] =  *((intOrPtr*)(_t291 - 0xc));
					return _t199;
				}
				 *((intOrPtr*)(_t291 - 0x88)) = 0;
				 *((intOrPtr*)(_t291 - 0x84)) = 0;
				 *((intOrPtr*)(_t291 - 0x8c)) = 0x423364;
				while(1) {
					 *((intOrPtr*)(_t291 + 0x64)) =  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x38)) +  *(_t291 + 0x60) * 4));
					_t288 =  *((intOrPtr*)(_t291 + 0x68));
					_t67 = _t291 - 0x8c; // 0x423364
					 *(_t291 - 4) = 9;
					E00404E08(0, _t288, _t282, _t288, _t297);
					_push(0);
					 *(_t291 - 4) = 8;
					L00408BFB(0, _t282, _t288, _t297);
					_t289 =  *( *((intOrPtr*)(_t288 + 0xc)) +  *(_t288 + 8) * 4 - 4);
					_t260 =  *((intOrPtr*)(_t291 + 0x64));
					 *(_t291 + 0x50) =  *( *((intOrPtr*)(_t288 + 0xc)) +  *(_t288 + 8) * 4 - 4);
					_t206 = E004023E2( *((intOrPtr*)(_t291 + 0x64)));
					 *(_t291 - 0x80) = _t206;
					if(_t206 != _t206) {
						break;
					}
					_t299 = 0 - _t279;
					if(0 != _t279) {
						break;
					}
					E0040140A(_t289, _t291, _t206);
					_t220 = E00408BD0(0, _t282, _t299, 0x14);
					_t300 = _t220;
					if(_t220 == 0) {
						_t290 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t220 + 4)) = 0;
						 *_t220 = 0x423518;
						_t290 = _t220;
					}
					E0040222C(_t291 + 0x4c, _t290);
					_push( *((intOrPtr*)(_t291 + 0x70)));
					_push( *((intOrPtr*)(_t291 + 0x6c)));
					_push(0);
					_push( *((intOrPtr*)(_t291 + 0x4c)));
					 *((intOrPtr*)(_t290 + 8)) =  *((intOrPtr*)( *(_t291 + 0x50) + 8));
					_push( *((intOrPtr*)(_t291 + 0x64)));
					 *(_t290 + 0xc) =  *(_t291 - 0x80);
					 *((intOrPtr*)(_t290 + 0x10)) = 0;
					_t91 = _t291 + 0x40; // 0x42352c
					_t289 =  *_t91;
					_push( *((intOrPtr*)(_t291 + 0x24)) + _t289 * 8);
					_push( *((intOrPtr*)(_t291 + 0x48)));
					 *(_t291 - 4) = 0xa;
					_push( *((intOrPtr*)(_t291 + 0x44)));
					_push( *_t282);
					_t227 = E00401ADB(0, _t291 - 0x118, _t282, _t289, _t300);
					 *((intOrPtr*)(_t291 + 0x14)) = _t227;
					if(_t227 != 0) {
						L20:
						_t208 =  *((intOrPtr*)(_t291 + 0x4c));
						 *(_t291 - 4) = 8;
						__eflags = _t208;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t208 + 8))(_t208);
						}
						 *(_t291 - 4) = 7;
						E0040246D(_t291 - 0x118, _t289, __eflags);
						 *(_t291 - 4) = 6;
						E00408BC5(_t291);
						 *(_t291 - 4) = 5;
						E00408BC5(_t291 - 0x34);
						 *(_t291 - 4) = 4;
						E00408BC5(_t291 - 0x20);
						 *(_t291 - 4) = 3;
						E00408BC5(_t291 - 0x48);
						 *(_t291 - 4) = 2;
						E00403264(0, _t291 + 0x2c, _t282, _t289, __eflags);
						 *(_t291 - 4) = 1;
						E00408BC5(_t291 - 0x70);
						 *(_t291 - 4) = 0;
						E00408BC5(_t291 - 0x5c);
						 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
						E00408BC5(_t291 + 0x18);
						_t199 =  *((intOrPtr*)(_t291 + 0x14));
						goto L18;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x54)) == 0) {
							L10:
							 *(_t291 + 0x50) = 0;
							if( *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x30)) <= 0) {
								L14:
								_t230 =  *((intOrPtr*)(_t291 + 0x4c));
								 *(_t291 - 4) = 8;
								if(_t230 != 0) {
									 *((intOrPtr*)( *_t230 + 8))(_t230);
								}
								 *(_t291 + 0x60) =  *(_t291 + 0x60) + 1;
								_t307 =  *(_t291 + 0x60) -  *((intOrPtr*)(_t291 + 0x34));
								if( *(_t291 + 0x60) <  *((intOrPtr*)(_t291 + 0x34))) {
									continue;
								} else {
									goto L17;
								}
							}
							_t277 =  *((intOrPtr*)(_t291 + 0x24));
							do {
								_t280 =  *((intOrPtr*)(_t277 + 4 + _t289 * 8));
								_t233 =  *((intOrPtr*)(_t277 + _t289 * 8));
								_t289 = _t289 + 1;
								 *((intOrPtr*)(_t291 + 0x44)) =  *((intOrPtr*)(_t291 + 0x44)) + _t233;
								 *((intOrPtr*)(_t291 - 0x74)) = _t280;
								asm("adc [ebp+0x48], edx");
								 *((intOrPtr*)(_t282 + 0x48)) =  *((intOrPtr*)(_t282 + 0x48)) + _t233;
								asm("adc [edi+0x4c], eax");
								 *(_t291 + 0x50) =  *(_t291 + 0x50) + 1;
								_t279 =  *(_t291 + 0x50);
							} while (_t279 <  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x30)));
							 *(_t291 + 0x40) = _t289;
							goto L14;
						}
						_t279 =  *(_t291 - 0x80);
						_t237 = E0040C9E9( *((intOrPtr*)( *(_t291 + 0x50) + 8)), _t279);
						_t260 =  *((intOrPtr*)(_t291 + 0x64));
						if(_t237 !=  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x50))) {
							break;
						}
						goto L10;
					}
				}
				E00403C2E(_t260, _t282);
				goto L20;
			}






















                                                            0x0040543e
                                                            0x00405442
                                                            0x0040544c
                                                            0x00405451
                                                            0x0040545a
                                                            0x0040545d
                                                            0x00405460
                                                            0x00405463
                                                            0x0040546a
                                                            0x0040546d
                                                            0x00405472
                                                            0x00405475
                                                            0x00405478
                                                            0x0040547b
                                                            0x0040547e
                                                            0x00405485
                                                            0x0040548a
                                                            0x00405490
                                                            0x00405493
                                                            0x00405496
                                                            0x00405499
                                                            0x0040549c
                                                            0x0040549f
                                                            0x004054a2
                                                            0x004054a5
                                                            0x004054a8
                                                            0x004054ab
                                                            0x004054b2
                                                            0x004054b5
                                                            0x004054b8
                                                            0x004054bb
                                                            0x004054be
                                                            0x004054c1
                                                            0x004054c4
                                                            0x004054c7
                                                            0x004054ca
                                                            0x004054d1
                                                            0x004054d4
                                                            0x004054d7
                                                            0x004054da
                                                            0x004054dd
                                                            0x004054e4
                                                            0x004054e7
                                                            0x004054ea
                                                            0x004054ed
                                                            0x004054f0
                                                            0x004054f3
                                                            0x004054f6
                                                            0x0040551d
                                                            0x00405521
                                                            0x0040552e
                                                            0x00405531
                                                            0x0040553b
                                                            0x00405541
                                                            0x00405544
                                                            0x00405547
                                                            0x0040554a
                                                            0x0040554d
                                                            0x004056af
                                                            0x004056b5
                                                            0x004056b9
                                                            0x004056c1
                                                            0x004056c5
                                                            0x004056cd
                                                            0x004056d1
                                                            0x004056d9
                                                            0x004056dd
                                                            0x004056e5
                                                            0x004056e9
                                                            0x004056f1
                                                            0x004056f5
                                                            0x004056fd
                                                            0x00405701
                                                            0x00405709
                                                            0x0040570c
                                                            0x00405711
                                                            0x00405718
                                                            0x0040571d
                                                            0x0040571f
                                                            0x00405722
                                                            0x00405731
                                                            0x00405731
                                                            0x00405553
                                                            0x00405559
                                                            0x0040555f
                                                            0x00405569
                                                            0x00405572
                                                            0x00405575
                                                            0x00405578
                                                            0x00405581
                                                            0x00405585
                                                            0x0040558a
                                                            0x0040558b
                                                            0x0040558f
                                                            0x0040559b
                                                            0x0040559f
                                                            0x004055a2
                                                            0x004055a5
                                                            0x004055aa
                                                            0x004055af
                                                            0x00000000
                                                            0x00000000
                                                            0x004055b5
                                                            0x004055b7
                                                            0x00000000
                                                            0x00000000
                                                            0x004055c0
                                                            0x004055c7
                                                            0x004055cd
                                                            0x004055cf
                                                            0x004055de
                                                            0x004055de
                                                            0x004055d1
                                                            0x004055d1
                                                            0x004055d4
                                                            0x004055da
                                                            0x004055da
                                                            0x004055e4
                                                            0x004055e9
                                                            0x004055ef
                                                            0x004055f5
                                                            0x004055f6
                                                            0x004055f9
                                                            0x004055ff
                                                            0x00405602
                                                            0x00405605
                                                            0x0040560b
                                                            0x0040560b
                                                            0x00405613
                                                            0x00405614
                                                            0x00405617
                                                            0x0040561b
                                                            0x0040561e
                                                            0x00405625
                                                            0x0040562a
                                                            0x0040562f
                                                            0x00405739
                                                            0x00405739
                                                            0x0040573c
                                                            0x00405740
                                                            0x00405742
                                                            0x00405747
                                                            0x00405747
                                                            0x00405750
                                                            0x00405754
                                                            0x0040575c
                                                            0x00405760
                                                            0x00405768
                                                            0x0040576c
                                                            0x00405774
                                                            0x00405778
                                                            0x00405780
                                                            0x00405784
                                                            0x0040578c
                                                            0x00405790
                                                            0x00405798
                                                            0x0040579c
                                                            0x004057a4
                                                            0x004057a7
                                                            0x004057ac
                                                            0x004057b3
                                                            0x004057b8
                                                            0x00000000
                                                            0x00405635
                                                            0x0040563b
                                                            0x00405657
                                                            0x0040565d
                                                            0x00405660
                                                            0x0040568f
                                                            0x0040568f
                                                            0x00405692
                                                            0x00405698
                                                            0x0040569d
                                                            0x0040569d
                                                            0x004056a0
                                                            0x004056a6
                                                            0x004056a9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004056a9
                                                            0x00405662
                                                            0x00405665
                                                            0x00405665
                                                            0x00405669
                                                            0x0040566c
                                                            0x0040566d
                                                            0x00405670
                                                            0x00405673
                                                            0x00405676
                                                            0x0040567b
                                                            0x0040567e
                                                            0x00405684
                                                            0x00405687
                                                            0x0040568c
                                                            0x00000000
                                                            0x0040568c
                                                            0x00405643
                                                            0x00405646
                                                            0x0040564b
                                                            0x00405651
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00405651
                                                            0x0040562f
                                                            0x00405734
                                                            0x00000000

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040544C
                                                            • ~_Task_impl.LIBCPMT ref: 004056F5
                                                              • Part of subcall function 00404E08: __EH_prolog3.LIBCMT ref: 00404E0F
                                                            • ~_Task_impl.LIBCPMT ref: 00405790
                                                              • Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3Task_impl$Exception@8Throw_malloc
                                                            • String ID: ,5B$X3B$d3B
                                                            • API String ID: 3886086520-1481860430
                                                            • Opcode ID: 85d03e3685e81ff3b769d94fe1e0308ece955acc27123708505d5f255a3a9165
                                                            • Instruction ID: 814289aad0976a7bf2f57e0359f589b9b41a73cc03a2e1a0d3bfeed728cac17b
                                                            • Opcode Fuzzy Hash: 85d03e3685e81ff3b769d94fe1e0308ece955acc27123708505d5f255a3a9165
                                                            • Instruction Fuzzy Hash: A8D105B0901248DFCB14DFA9C980ADDBBB4FF18304F5481AEF959A7281DB78AA45CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405E50, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 198COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 833 405e50-405e91 call 416b21 call 403043 838 405e93 call 403c2e 833->838 839 405e98-405ec6 call 40c9e9 833->839 838->839 839->838 843 405ec8-405ee7 839->843 844 4060e4-4060e9 call 416bf9 843->844 845 405eed-405eef 843->845 847 405ef1-405ef5 845->847 848 405ef7-405efa 845->848 847->848 850 405eff-405f02 847->850 848->844 851 405f04 850->851 852 405f0b-405f20 call 409f8a 850->852 851->848 853 405f06-405f09 851->853 852->844 855 405f26-405f51 call 40140a call 40b06f 852->855 853->848 853->852 860 405f53 855->860 861 405f64-405f9c call 40c9e9 855->861 862 405f55-405f5f call 408bfb 860->862 861->838 867 405fa2-405fdf call 404430 call 403cc9 861->867 868 4060e3 862->868 873 405fe1-405fe3 867->873 874 405fe9-405fec 867->874 868->844 873->874 875 40609f-4060e1 call 4057c0 call 404035 call 4043f7 call 408bfb 873->875 874->838 876 405ff2-405ff4 874->876 875->868 876->838 877 405ffa-406019 call 40543e 876->877 882 40601e-406022 877->882 884 406041-406045 882->884 885 406024-40603c call 404035 call 4043f7 882->885 888 406066-40606a 884->888 889 406047-40605f call 404035 call 4043f7 884->889 885->862 888->838 892 406070-406091 call 4043f7 call 404430 call 403cc9 888->892 889->888 892->838 907 406097-406099 892->907 907->838 907->875
                                                            C-Code - Quality: 93%
                                                            			E00405E50(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t97;
				intOrPtr* _t111;
				signed int _t114;
				void* _t120;
				void* _t123;
				void* _t130;
				signed int _t133;
				signed int _t143;
				signed int _t144;
				void* _t149;
				void* _t164;
				signed int _t167;
				intOrPtr _t169;
				intOrPtr* _t171;
				signed int _t172;
				void* _t173;

				_push(0x34);
				E00416B21(E004212C3, __ebx, __edi, __esi);
				_t171 = __ecx;
				_t169 =  *((intOrPtr*)(_t173 + 8));
				E00403043(_t169);
				 *((intOrPtr*)(_t169 + 0x138)) =  *((intOrPtr*)(_t171 + 0x20));
				 *((intOrPtr*)(_t169 + 0x13c)) =  *((intOrPtr*)(_t171 + 0x24));
				_t97 = _t169 + 0x130;
				 *_t97 =  *((intOrPtr*)(_t171 + 0x2e));
				_t148 =  *((intOrPtr*)(_t171 + 0x2f));
				 *((char*)(_t169 + 0x131)) =  *((intOrPtr*)(_t171 + 0x2f));
				if( *_t97 != 0) {
					L1:
					E00403C2E(_t148, _t169);
				}
				_t143 =  *(_t171 + 0x40);
				 *((intOrPtr*)(_t173 + 8)) =  *((intOrPtr*)(_t171 + 0x30));
				_t148 = _t171 + 0x34;
				 *((intOrPtr*)(_t173 - 0x18)) =  *_t148;
				 *((intOrPtr*)(_t173 - 0x14)) =  *((intOrPtr*)(_t148 + 4));
				 *(_t173 - 0x20) =  *(_t171 + 0x3c);
				_t164 = 0x14;
				 *((intOrPtr*)(_t173 - 0x10)) =  *((intOrPtr*)(_t171 + 0x44));
				if(E0040C9E9(_t148, _t164) !=  *((intOrPtr*)(_t173 + 8))) {
					goto L1;
				}
				 *((intOrPtr*)(_t169 + 0x140)) =  *((intOrPtr*)(_t171 + 0x20)) + 0x20;
				_t149 = 0;
				asm("adc edx, ecx");
				_t108 =  *(_t173 - 0x20) | _t143;
				 *((intOrPtr*)(_t169 + 0x144)) =  *((intOrPtr*)(_t171 + 0x24));
				if(( *(_t173 - 0x20) | _t143) != 0) {
					if(_t143 > _t149 ||  *(_t173 - 0x20) > 0xffffffff) {
						L6:
						_t108 = 1;
					} else {
						__eflags =  *((intOrPtr*)(_t173 - 0x14)) - _t149;
						if(__eflags > 0) {
							L10:
							_t111 =  *_t171;
							_t108 =  *((intOrPtr*)( *_t111 + 0x10))(_t111,  *((intOrPtr*)(_t173 - 0x18)),  *((intOrPtr*)(_t173 - 0x14)), 1, _t149);
							__eflags = _t108;
							if(_t108 == 0) {
								 *((intOrPtr*)(_t173 - 0x2c)) = 0x423364;
								 *((intOrPtr*)(_t173 - 0x28)) = 0;
								 *((intOrPtr*)(_t173 - 0x24)) = 0;
								 *((intOrPtr*)(_t173 - 4)) = 0;
								_t38 = _t173 - 0x2c; // 0x423364
								E0040140A(_t38, _t173,  *(_t173 - 0x20));
								_t114 = E0040B06F(__eflags,  *_t171,  *((intOrPtr*)(_t173 - 0x24)),  *(_t173 - 0x20)); // executed
								__eflags = _t114;
								if(__eflags == 0) {
									_t167 =  *(_t173 - 0x20);
									asm("adc ecx, 0x0");
									 *((intOrPtr*)(_t171 + 0x48)) =  *((intOrPtr*)(_t171 + 0x48)) + _t167 + 0x20;
									asm("adc [esi+0x4c], ecx");
									_t148 =  *((intOrPtr*)(_t173 - 0x24));
									asm("adc ebx, [ebp-0x14]");
									asm("adc ebx, 0x0");
									 *((intOrPtr*)(_t169 + 0x1c8)) = _t167 +  *((intOrPtr*)(_t173 - 0x18)) + 0x20;
									 *(_t169 + 0x1cc) = _t143;
									_t120 = E0040C9E9( *((intOrPtr*)(_t173 - 0x24)), _t167);
									__eflags = _t120 -  *((intOrPtr*)(_t173 - 0x10));
									if(_t120 !=  *((intOrPtr*)(_t173 - 0x10))) {
										goto L1;
									} else {
										 *((char*)(_t173 - 0x14)) = 0;
										_t51 = _t173 - 0x2c; // 0x423364
										 *((char*)(_t173 - 4)) = 1;
										E00404430(_t171, _t51);
										_t144 = 0;
										 *((intOrPtr*)(_t173 - 0x3c)) = 0;
										 *(_t173 - 0x38) = 0;
										 *((intOrPtr*)(_t173 - 0x34)) = 0;
										 *((intOrPtr*)(_t173 - 0x30)) = 4;
										 *((intOrPtr*)(_t173 - 0x40)) = 0x42352c;
										_t148 =  *((intOrPtr*)(_t171 + 0x18));
										 *((char*)(_t173 - 4)) = 2;
										_t123 = E00403CC9( *((intOrPtr*)(_t171 + 0x18)), _t167);
										__eflags = _t123 - 1;
										if(_t123 != 1) {
											L17:
											__eflags = _t123 - 0x17;
											if(_t123 != 0x17) {
												goto L1;
											} else {
												__eflags = _t167 - _t144;
												if(__eflags != 0) {
													goto L1;
												} else {
													_t62 = _t173 - 0x40; // 0x42352c
													_t148 = _t171;
													_t144 = E0040543E(_t144, _t171, _t169, _t171, __eflags,  *((intOrPtr*)(_t169 + 0x140)),  *((intOrPtr*)(_t169 + 0x144)), _t169 + 0x150, _t62,  *((intOrPtr*)(_t173 + 0xc)),  *((intOrPtr*)(_t173 + 0x10)));
													__eflags = _t144;
													if(__eflags == 0) {
														__eflags =  *(_t173 - 0x38);
														if(__eflags != 0) {
															__eflags =  *(_t173 - 0x38) - 1;
															if( *(_t173 - 0x38) > 1) {
																goto L1;
															} else {
																E004043F7(_t173 - 0x18);
																E00404430(_t171,  *((intOrPtr*)( *((intOrPtr*)(_t173 - 0x34)))));
																_t148 =  *((intOrPtr*)(_t171 + 0x18));
																_t130 = E00403CC9( *((intOrPtr*)(_t171 + 0x18)), _t167);
																__eflags = _t130 - 1;
																if(_t130 != 1) {
																	goto L1;
																} else {
																	__eflags = _t167;
																	if(__eflags != 0) {
																		goto L1;
																	} else {
																		goto L26;
																	}
																}
															}
														} else {
															_t72 = _t173 - 0x40; // 0x42352c
															 *((char*)(_t173 - 4)) = 1;
															E00404035(_t144, _t72, _t169, _t171, __eflags);
															 *((char*)(_t173 - 4)) = 0;
															E004043F7(_t173 - 0x18);
															_t144 = 0;
															goto L13;
														}
													} else {
														_t67 = _t173 - 0x40; // 0x42352c
														 *((char*)(_t173 - 4)) = 1;
														E00404035(_t144, _t67, _t169, _t171, __eflags);
														 *((char*)(_t173 - 4)) = 0;
														E004043F7(_t173 - 0x18);
														goto L13;
													}
												}
											}
										} else {
											__eflags = _t167;
											if(__eflags == 0) {
												L26:
												 *((intOrPtr*)(_t169 + 0x1c0)) =  *((intOrPtr*)(_t171 + 0x48));
												 *((intOrPtr*)(_t169 + 0x1c4)) =  *((intOrPtr*)(_t171 + 0x4c));
												_t133 = E004057C0(_t144, _t171, _t167, _t169, _t171, __eflags, _t169,  *((intOrPtr*)(_t173 + 0xc)),  *((intOrPtr*)(_t173 + 0x10)));
												_t87 = _t173 - 0x40; // 0x42352c
												_t172 = _t133;
												 *((char*)(_t173 - 4)) = 1;
												E00404035(_t144, _t87, _t169, _t172, __eflags);
												 *((char*)(_t173 - 4)) = 0;
												E004043F7(_t173 - 0x18);
												_push( *((intOrPtr*)(_t173 - 0x24)));
												L00408BFB(_t144, _t169, _t172, __eflags);
												_t108 = _t172;
												goto L27;
											} else {
												goto L17;
											}
										}
									}
								} else {
									_t144 = _t114;
									L13:
									_push( *((intOrPtr*)(_t173 - 0x24)));
									L00408BFB(_t144, _t169, _t171, __eflags);
									_t108 = _t144;
									L27:
								}
							}
						} else {
							if(__eflags < 0) {
								goto L6;
							} else {
								__eflags =  *((intOrPtr*)(_t173 - 0x18)) - _t149;
								if( *((intOrPtr*)(_t173 - 0x18)) < _t149) {
									goto L6;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return E00416BF9(_t108);
			}



















                                                            0x00405e50
                                                            0x00405e57
                                                            0x00405e5c
                                                            0x00405e5e
                                                            0x00405e63
                                                            0x00405e6b
                                                            0x00405e74
                                                            0x00405e7d
                                                            0x00405e83
                                                            0x00405e88
                                                            0x00405e8b
                                                            0x00405e91
                                                            0x00405e93
                                                            0x00405e93
                                                            0x00405e93
                                                            0x00405e9b
                                                            0x00405e9e
                                                            0x00405ea1
                                                            0x00405ea6
                                                            0x00405eac
                                                            0x00405eb2
                                                            0x00405eba
                                                            0x00405ebb
                                                            0x00405ec6
                                                            0x00000000
                                                            0x00000000
                                                            0x00405ed3
                                                            0x00405edc
                                                            0x00405edd
                                                            0x00405edf
                                                            0x00405ee1
                                                            0x00405ee7
                                                            0x00405eef
                                                            0x00405ef7
                                                            0x00405ef9
                                                            0x00405eff
                                                            0x00405eff
                                                            0x00405f02
                                                            0x00405f0b
                                                            0x00405f0b
                                                            0x00405f19
                                                            0x00405f1e
                                                            0x00405f20
                                                            0x00405f26
                                                            0x00405f2d
                                                            0x00405f30
                                                            0x00405f36
                                                            0x00405f39
                                                            0x00405f3c
                                                            0x00405f4a
                                                            0x00405f4f
                                                            0x00405f51
                                                            0x00405f64
                                                            0x00405f6e
                                                            0x00405f71
                                                            0x00405f76
                                                            0x00405f7c
                                                            0x00405f7f
                                                            0x00405f85
                                                            0x00405f88
                                                            0x00405f8e
                                                            0x00405f94
                                                            0x00405f99
                                                            0x00405f9c
                                                            0x00000000
                                                            0x00405fa2
                                                            0x00405fa2
                                                            0x00405fa6
                                                            0x00405fae
                                                            0x00405fb2
                                                            0x00405fb7
                                                            0x00405fb9
                                                            0x00405fbc
                                                            0x00405fbf
                                                            0x00405fc2
                                                            0x00405fc9
                                                            0x00405fd0
                                                            0x00405fd3
                                                            0x00405fd7
                                                            0x00405fdc
                                                            0x00405fdf
                                                            0x00405fe9
                                                            0x00405fe9
                                                            0x00405fec
                                                            0x00000000
                                                            0x00405ff2
                                                            0x00405ff2
                                                            0x00405ff4
                                                            0x00000000
                                                            0x00405ffa
                                                            0x00405ffd
                                                            0x00406003
                                                            0x0040601e
                                                            0x00406020
                                                            0x00406022
                                                            0x00406041
                                                            0x00406045
                                                            0x00406066
                                                            0x0040606a
                                                            0x00000000
                                                            0x00406070
                                                            0x00406073
                                                            0x00406081
                                                            0x00406086
                                                            0x00406089
                                                            0x0040608e
                                                            0x00406091
                                                            0x00000000
                                                            0x00406097
                                                            0x00406097
                                                            0x00406099
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00406099
                                                            0x00406091
                                                            0x00406047
                                                            0x00406047
                                                            0x0040604a
                                                            0x0040604e
                                                            0x00406056
                                                            0x0040605a
                                                            0x0040605f
                                                            0x00000000
                                                            0x0040605f
                                                            0x00406024
                                                            0x00406024
                                                            0x00406027
                                                            0x0040602b
                                                            0x00406033
                                                            0x00406037
                                                            0x00000000
                                                            0x00406037
                                                            0x00406022
                                                            0x00405ff4
                                                            0x00405fe1
                                                            0x00405fe1
                                                            0x00405fe3
                                                            0x0040609f
                                                            0x004060a8
                                                            0x004060b4
                                                            0x004060ba
                                                            0x004060bf
                                                            0x004060c2
                                                            0x004060c4
                                                            0x004060c8
                                                            0x004060d0
                                                            0x004060d4
                                                            0x004060d9
                                                            0x004060dc
                                                            0x004060e1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00405fe3
                                                            0x00405fdf
                                                            0x00405f53
                                                            0x00405f53
                                                            0x00405f55
                                                            0x00405f55
                                                            0x00405f58
                                                            0x00405f5d
                                                            0x004060e3
                                                            0x004060e3
                                                            0x00405f51
                                                            0x00405f04
                                                            0x00405f04
                                                            0x00000000
                                                            0x00405f06
                                                            0x00405f06
                                                            0x00405f09
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00405f09
                                                            0x00405f04
                                                            0x00405f02
                                                            0x00405eef
                                                            0x004060e9

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00405E57
                                                              • Part of subcall function 00403C2E: __CxxThrowException@8.LIBCMT ref: 00403C48
                                                            • ~_Task_impl.LIBCPMT ref: 0040602B
                                                            • ~_Task_impl.LIBCPMT ref: 0040604E
                                                            • ~_Task_impl.LIBCPMT ref: 004060C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Task_impl$Exception@8H_prolog3Throw
                                                            • String ID: ,5B$d3B
                                                            • API String ID: 2671850710-4022472632
                                                            • Opcode ID: 7c0775fd51aa641adf85b337397f615fa1b72316e97e0daecfbe9a7385fd49df
                                                            • Instruction ID: 22ed54c7a815a4ab7570c59c5c815cf412b8cd08c948cb3af00627dc78b13c80
                                                            • Opcode Fuzzy Hash: 7c0775fd51aa641adf85b337397f615fa1b72316e97e0daecfbe9a7385fd49df
                                                            • Instruction Fuzzy Hash: 89813970A00649DFCB15DFA5C881ADEBBB0FF08304F14452EE545B7391D739AA44CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041203E, Relevance: 10.6, APIs: 7, Instructions: 93windowtimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 86%
                                                            			E0041203E(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t35;
				int _t36;
				void* _t41;
				void* _t47;
				void* _t52;
				struct HWND__** _t78;
				void* _t80;
				void* _t82;

				_push(0x24);
				E00416B21(E00421EEC, __ebx, __edi, __esi);
				_t80 = __ecx;
				 *(__ecx + 0x40) =  *(__ecx + 0x40) | 0xffffffff;
				 *(__ecx + 0x44) =  *(__ecx + 0x44) | 0xffffffff;
				 *(__ecx + 0x4c) =  *(__ecx + 0x4c) | 0xffffffff;
				_t78 = __ecx + 4;
				 *((intOrPtr*)(_t80 + 0x48)) = GetDlgItem( *_t78, 0x3e8);
				_t35 = _t80 + 0x98;
				_t84 =  *_t35;
				if( *_t35 >= 0) {
					SendMessageW( *_t78, 0x80, 1, LoadIconW( *0x43063c,  *_t35 & 0x0000ffff));
				}
				_t36 = SetTimer( *_t78, 3, 0x64, 0); // executed
				 *(_t80 + 0x20) = _t36;
				E00411A09(_t78,  *((intOrPtr*)(_t80 + 0x24)));
				E00411E99(_t80);
				E0040320A(_t82 - 0x24);
				 *((intOrPtr*)(_t82 - 4)) = 0;
				_t41 = E0040C825(_t82 - 0x24, _t82 - 0x18, 0x47);
				 *((char*)(_t82 - 4)) = 1;
				E00408639(_t82 - 0x24, _t82, _t41);
				_push( *(_t82 - 0x18));
				 *((char*)(_t82 - 4)) = 0;
				L00408BFB(0, _t78, _t80, _t84);
				SetDlgItemTextW( *_t78, 0x3e7,  *(_t82 - 0x24)); // executed
				E0040320A(_t82 - 0x18);
				 *((char*)(_t82 - 4)) = 2;
				_t47 = E0040C825(_t82 - 0x18, _t82 - 0x30, 0x15);
				 *((char*)(_t82 - 4)) = 3;
				E00408639(_t82 - 0x18, _t82, _t47);
				_push( *((intOrPtr*)(_t82 - 0x30)));
				 *((char*)(_t82 - 4)) = 2;
				L00408BFB(SetDlgItemTextW, _t78, _t80, _t84);
				SetDlgItemTextW( *_t78, 2,  *(_t82 - 0x18)); // executed
				 *(_t80 + 0x58) =  *_t78;
				_t52 = E00410729(_t80);
				 *((char*)(_t80 + 0x50)) = 1;
				_t81 = _t80 + 0x54;
				_t64 = _t52;
				E0040FCA0(_t80 + 0x54);
				_push( *(_t82 - 0x18));
				L00408BFB(_t52, _t78, _t81, _t80 + 0x54);
				_push( *(_t82 - 0x24));
				L00408BFB(_t52, _t78, _t81, _t80 + 0x54);
				return E00416BF9(_t64);
			}











                                                            0x0041203e
                                                            0x00412045
                                                            0x0041204a
                                                            0x0041204c
                                                            0x00412050
                                                            0x00412054
                                                            0x0041205d
                                                            0x00412068
                                                            0x0041206b
                                                            0x00412073
                                                            0x00412075
                                                            0x00412091
                                                            0x00412091
                                                            0x0041209e
                                                            0x004120a9
                                                            0x004120ac
                                                            0x004120b3
                                                            0x004120bb
                                                            0x004120c6
                                                            0x004120c9
                                                            0x004120d2
                                                            0x004120d6
                                                            0x004120db
                                                            0x004120de
                                                            0x004120e1
                                                            0x004120f7
                                                            0x004120fc
                                                            0x00412107
                                                            0x0041210b
                                                            0x00412114
                                                            0x00412118
                                                            0x0041211d
                                                            0x00412120
                                                            0x00412124
                                                            0x00412131
                                                            0x00412137
                                                            0x0041213a
                                                            0x0041213f
                                                            0x00412143
                                                            0x00412147
                                                            0x00412149
                                                            0x0041214e
                                                            0x00412151
                                                            0x00412156
                                                            0x00412159
                                                            0x00412167

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00412045
                                                            • GetDlgItem.USER32 ref: 00412062
                                                            • LoadIconW.USER32(?), ref: 00412081
                                                            • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00412091
                                                            • SetTimer.USER32(?,00000003,00000064,00000000), ref: 0041209E
                                                            • SetDlgItemTextW.USER32 ref: 004120F7
                                                            • SetDlgItemTextW.USER32 ref: 00412131
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Item$Text$H_prolog3IconLoadMessageSendTimer
                                                            • String ID:
                                                            • API String ID: 939275570-0
                                                            • Opcode ID: 39daad9ba48e2c2f6d80b86682300c4b134f58aff4b3b9f1a086de2835435c81
                                                            • Instruction ID: 21c704d9c836a514070a3f35ff2bc92d5ecee665b3ff0147aa08f3bdc7422be8
                                                            • Opcode Fuzzy Hash: 39daad9ba48e2c2f6d80b86682300c4b134f58aff4b3b9f1a086de2835435c81
                                                            • Instruction Fuzzy Hash: 6E31A071500344EFDB11ABA1CD46ADDBFB4AF08314F10016EF291A61E2CF7A6A55DB18
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401ADB, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 607COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 944 401adb-401afd call 416b21 call 4041d7 949 401b19-401b5d call 40fcfc call 406200 944->949 950 401aff-401b16 944->950 955 401b63-401b6d call 408bd0 949->955 956 401c3b-401c64 call 4018ab call 4017e4 949->956 961 401b7c 955->961 962 401b6f-401b7a 955->962 967 401c85-401c9a call 408b5a call 402b01 956->967 968 401c66-401c7f call 4012a6 956->968 964 401b7e-401bbb call 40222c call 408bd0 961->964 962->964 979 401bcd 964->979 980 401bbd-401bcb 964->980 981 401cd2-401ce2 967->981 982 401c9c-401ca9 call 408bd0 967->982 968->967 977 401e10-401e24 968->977 985 4020f6-402114 call 4011a3 977->985 986 401e2a 977->986 983 401bcf-401c10 call 40222c call 406200 call 4014ba 979->983 980->983 994 401d13-401d19 981->994 995 401ce4-401d0c call 40136c call 4013ef call 401489 981->995 996 401cb4 982->996 997 401cab-401cb2 call 4018d0 982->997 1030 401c12-401c14 983->1030 1031 401c18-401c21 983->1031 1004 402116-40211c 985->1004 1005 40211f-402122 985->1005 989 401e2d-401e64 986->989 1009 401e96-401e9c 989->1009 1010 401e66-401e72 989->1010 1006 401dfe-401e0d call 4019eb 994->1006 1007 401d1f-401d4d call 409d4d 994->1007 995->994 1003 401cb6-401cc6 call 406200 996->1003 997->1003 1034 401cc8-401ccb 1003->1034 1035 401ccd 1003->1035 1004->1005 1015 402124 1005->1015 1016 40218c-4021b7 call 408a61 1005->1016 1006->977 1036 402002-40200b 1007->1036 1037 401d53-401d5e 1007->1037 1023 401ea4-401ec0 1009->1023 1024 401e9e-401ea0 1009->1024 1020 401e78-401e90 1010->1020 1021 40212b-40212f 1010->1021 1015->1021 1042 4021b9-4021cd call 40105e 1016->1042 1043 4021cf-4021eb 1016->1043 1020->1009 1052 402016-40201c 1020->1052 1029 402063-402069 1021->1029 1055 401ec6-401ecb 1023->1055 1056 401f7f-401f85 1023->1056 1024->1023 1059 40204e 1029->1059 1030->1031 1040 401c23-401c25 1031->1040 1041 401c29-401c35 1031->1041 1047 401ccf 1034->1047 1035->1047 1048 402013 1036->1048 1049 40200d-40200f 1036->1049 1038 401d60-401d64 1037->1038 1039 401d8c-401d8f 1037->1039 1038->1039 1050 401d66-401d6b 1038->1050 1053 401d95-401da3 call 406200 1039->1053 1054 402058-402061 1039->1054 1040->1041 1041->955 1041->956 1042->1043 1149 4021ec call 40b110 1043->1149 1150 4021ec call 406406 1043->1150 1047->981 1048->1052 1049->1048 1060 401d71-401d7d call 406200 1050->1060 1061 40202c-402035 1050->1061 1064 402024 1052->1064 1065 40201e-402020 1052->1065 1082 401db0-401dc5 call 4014ba 1053->1082 1083 401da5-401dab call 406d8e 1053->1083 1054->1029 1054->1059 1069 401ed1-401ee6 1055->1069 1070 402134-402137 1055->1070 1062 401f87-401f89 1056->1062 1063 401f8d-401fda call 408a61 * 2 1056->1063 1059->1054 1060->1082 1085 401d7f-401d8a call 406d69 1060->1085 1074 402040-402046 1061->1074 1075 402037-40203d 1061->1075 1062->1063 1099 401fe0-401fe3 1063->1099 1100 40206b 1063->1100 1064->1061 1065->1064 1067 4021ef-4021f8 call 408bc5 1081 4021fd 1067->1081 1089 402148-40215a SysFreeString 1069->1089 1090 401eec-401f26 call 401647 call 40140a 1069->1090 1078 40213e 1070->1078 1074->1059 1084 402048-40204a 1074->1084 1075->1074 1078->1089 1081->1081 1101 401dc7-401dc9 1082->1101 1102 401dcd-401dd6 1082->1102 1083->1082 1084->1059 1085->1082 1094 402162 1089->1094 1095 40215c-40215e 1089->1095 1118 401f41-401f5f call 408bfb 1090->1118 1119 401f28-401f2e 1090->1119 1108 402169-402170 call 408bfb 1094->1108 1095->1094 1109 401fe6-401ffe call 40105e 1099->1109 1106 40206e-402074 1100->1106 1101->1102 1104 401dd8-401dda 1102->1104 1105 401dde-401de7 1102->1105 1104->1105 1115 401de9-401deb 1105->1115 1116 401def-401df8 1105->1116 1110 402076-402082 call 401237 1106->1110 1111 4020bf-4020f0 call 408bc5 * 2 1106->1111 1108->1089 1123 402000 1109->1123 1127 402090-40209c call 401282 1110->1127 1128 402084-40208e 1110->1128 1111->985 1111->989 1115->1116 1116->1006 1116->1007 1118->1108 1142 401f65-401f7c call 408bfb SysFreeString 1118->1142 1125 401f30-401f3f 1119->1125 1123->1106 1125->1118 1125->1125 1138 402172-40218a call 408bc5 * 2 1127->1138 1139 4020a2 1127->1139 1130 4020a5-4020bd call 40105e 1128->1130 1130->1110 1130->1111 1138->1078 1139->1130 1142->1056 1149->1067 1150->1067
                                                            C-Code - Quality: 89%
                                                            			E00401ADB(void* __ebx, signed int* __ecx, intOrPtr __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t329;
				signed int _t346;
				intOrPtr* _t355;
				signed int _t357;
				signed int _t360;
				signed int _t361;
				signed int _t369;
				signed int _t370;
				signed int _t383;
				signed int _t389;
				signed int _t390;
				unsigned int _t394;
				signed int _t398;
				signed int _t404;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t418;
				signed int _t424;
				signed int _t425;
				signed int _t427;
				signed int _t428;
				signed char _t429;
				signed int _t432;
				signed int _t440;
				signed int _t446;
				signed int _t447;
				intOrPtr _t478;
				intOrPtr _t488;
				signed int _t494;
				unsigned int* _t504;
				signed int _t508;
				signed int _t521;
				signed int _t543;
				signed int _t549;
				signed int _t550;
				signed int _t551;
				intOrPtr* _t553;
				signed int _t555;
				signed int* _t556;
				intOrPtr* _t557;
				signed int _t558;
				signed int _t561;
				signed int _t562;
				intOrPtr* _t563;
				void* _t568;

				_t568 = __eflags;
				_t545 = __edi;
				_push(0xcc);
				E00416B21(E00420D66, __ebx, __edi, __esi);
				 *(_t563 + 0x34) = __ecx;
				_t555 =  *(_t563 + 0x60);
				if(E004041D7(__ebx, _t555, __edi, _t555, _t568) != 0) {
					 *((char*)( *((intOrPtr*)(_t563 + 0x70)))) = 0;
					 *((intOrPtr*)(_t563 + 4)) = 0;
					 *(_t563 + 8) = 0;
					 *((intOrPtr*)(_t563 + 0xc)) = 0;
					 *((intOrPtr*)(_t563 + 0x10)) = 4;
					 *_t563 = 0x4233bc;
					_push(_t563 - 0x70);
					 *(_t563 - 4) = 0;
					 *((intOrPtr*)(_t563 - 0x74)) = 0;
					E0040FCFC(__eflags);
					 *(_t563 - 4) = 1;
					E00406200(_t563 - 0x74,  *(_t563 + 0x50));
					__eflags =  *(_t555 + 0x30);
					 *(_t563 + 0x50) = 0;
					if(__eflags <= 0) {
						L15:
						_t457 = _t563 - 0xd8;
						 *(_t563 + 0x28) =  *( *(_t563 + 0x60) + 8);
						E004018AB(_t563 - 0xd8, __eflags);
						 *(_t563 - 4) = 4;
						E004017E4(_t563 - 0xd8,  *(_t563 + 0x60), _t563 - 0xd8);
						_t556 =  *(_t563 + 0x34);
						__eflags =  *_t556;
						if( *_t556 == 0) {
							L17:
							E00408B5A();
							_t547 =  &(_t556[0x1d]);
							E00402B01( &(_t556[0x1d]));
							__eflags = _t556[0x1a];
							if(__eflags != 0) {
								_t424 = E00408BD0(0, _t547, __eflags, 0x88);
								__eflags = _t424;
								if(_t424 == 0) {
									_t425 = 0;
									__eflags = 0;
								} else {
									_t425 = E004018D0(_t424);
								}
								_t556[0x1b] = _t425;
								E00406200(_t547, _t425);
								_t427 = _t556[0x1b];
								__eflags = _t427;
								if(_t427 == 0) {
									_t428 = 0;
									__eflags = 0;
								} else {
									_t428 = _t427 + 4;
								}
								_t556[0x1c] = _t428;
							}
							_t329 =  *((intOrPtr*)( *(_t556[0x1c])))(_t563 - 0xd8);
							__eflags = _t329;
							if(__eflags == 0) {
								__eflags =  *(_t563 + 0x28);
								 *(_t563 + 0x44) = 0;
								if(__eflags <= 0) {
									L45:
									E004019EB( &(_t556[1]), _t563 - 0xd8);
									 *_t556 = 1;
									L46:
									 *((intOrPtr*)( *(_t556[0x1c]) + 4))();
									__eflags =  *(_t563 + 0x28);
									 *(_t563 + 0x34) = 0;
									 *(_t563 + 0x30) = 0;
									 *(_t563 + 0x2c) = 0;
									if( *(_t563 + 0x28) <= 0) {
										L88:
										E004011A3(_t563 - 0xd8,  *((intOrPtr*)( *((intOrPtr*)(_t563 - 0x90)))), _t563 + 0x60, _t563 + 0x70);
										__eflags = _t556[0x1a];
										if(_t556[0x1a] != 0) {
											 *(_t556[0x1b] + 0x70) =  *(_t563 + 0x60);
										}
										__eflags =  *(_t563 + 0x28);
										if(__eflags != 0) {
											 *((intOrPtr*)(_t563 - 0x48)) = 0;
											 *((intOrPtr*)(_t563 - 0x44)) = 0;
											 *((intOrPtr*)(_t563 - 0x40)) = 0;
											 *((intOrPtr*)(_t563 - 0x3c)) = 4;
											 *((intOrPtr*)(_t563 - 0x4c)) = 0x42339c;
											 *(_t563 - 4) = 0xf;
											E00408A61(_t563 - 0x4c,  *(_t563 + 8));
											_t547 = 0;
											__eflags =  *(_t563 + 8);
											if( *(_t563 + 8) <= 0) {
												L102:
												_t557 = _t556[0x1d];
												 *((intOrPtr*)(_t563 - 0x24)) =  *((intOrPtr*)(_t563 + 0x64));
												_t558 =  *((intOrPtr*)( *_t557 + 0xc))(_t557,  *((intOrPtr*)(_t563 - 0x40)), 0,  *(_t563 + 8), _t563 - 0x24, 0, 1,  *((intOrPtr*)(_t563 + 0x68)));
												 *(_t563 - 4) = 4;
												E00408BC5(_t563 - 0x4c);
												goto L27;
											} else {
												goto L101;
											}
											do {
												L101:
												E0040105E(_t563 - 0x4c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0xc)) + _t547 * 4)))));
												_t547 = _t547 + 1;
												__eflags = _t547 -  *(_t563 + 8);
											} while (_t547 <  *(_t563 + 8));
											goto L102;
										} else {
											_t558 = 0;
											goto L27;
										}
									}
									 *((intOrPtr*)(_t563 + 0x20)) = 0;
									do {
										 *(_t563 + 0x3c) =  *( *((intOrPtr*)( *(_t563 + 0x60) + 0xc)) +  *(_t563 + 0x2c) * 4);
										_t547 =  *( *((intOrPtr*)(_t563 + 0x20)) + _t556[0x21]);
										 *(_t563 + 0x24) = 0;
										_t355 =  *_t547;
										 *(_t563 - 4) = 8;
										 *((intOrPtr*)( *_t355))(_t355, 0x424064, _t563 + 0x24);
										_t357 =  *(_t563 + 0x24);
										__eflags = _t357;
										if(_t357 == 0) {
											L51:
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(_t357 != 0) {
												 *((intOrPtr*)( *_t357 + 8))(_t357);
											}
											 *(_t563 + 0x44) = 0;
											_t547 =  *_t547;
											 *(_t563 - 4) = 9;
											 *( *_t547)(_t547, 0x4240e4, _t563 + 0x44);
											_t360 =  *(_t563 + 0x44);
											__eflags = _t360;
											if(_t360 == 0) {
												L61:
												 *(_t563 - 4) = 4;
												__eflags = _t360;
												if(_t360 != 0) {
													 *((intOrPtr*)( *_t360 + 8))(_t360);
												}
												_t361 =  *(_t563 + 0x3c);
												_t549 =  *(_t361 + 0x18);
												_t478 = 4;
												 *((intOrPtr*)(_t563 + 0x20)) =  *((intOrPtr*)(_t563 + 0x20)) + _t478;
												 *(_t563 + 0x40) =  *(_t361 + 0x14);
												 *((intOrPtr*)(_t563 - 0x1c)) = 0;
												 *((intOrPtr*)(_t563 - 0x18)) = 0;
												 *((intOrPtr*)(_t563 - 0x14)) = 0;
												 *((intOrPtr*)(_t563 - 0x10)) = _t478;
												 *((intOrPtr*)(_t563 - 0x20)) = 0x423390;
												 *((intOrPtr*)(_t563 - 0x34)) = 0;
												 *((intOrPtr*)(_t563 - 0x30)) = 0;
												 *((intOrPtr*)(_t563 - 0x2c)) = 0;
												 *((intOrPtr*)(_t563 - 0x28)) = _t478;
												 *((intOrPtr*)(_t563 - 0x38)) = 0x423390;
												 *(_t563 - 4) = 0xe;
												E00408A61(_t563 - 0x20,  *(_t361 + 0x14));
												E00408A61(_t563 - 0x38, _t549);
												__eflags = _t549;
												if(_t549 <= 0) {
													_t547 =  *(_t563 + 0x60);
													goto L81;
												} else {
													 *(_t563 + 0x3c) = _t549;
													_t547 =  *(_t563 + 0x60);
													do {
														E0040105E(_t563 - 0x38,  *((intOrPtr*)(_t547 + 0x48)) +  *(_t563 + 0x30) * 8);
														 *(_t563 + 0x30) =  *(_t563 + 0x30) + 1;
														_t221 = _t563 + 0x3c;
														 *_t221 =  *(_t563 + 0x3c) - 1;
														__eflags =  *_t221;
													} while ( *_t221 != 0);
													L81:
													 *(_t563 + 0x3c) = 0;
													__eflags =  *(_t563 + 0x40);
													if( *(_t563 + 0x40) <= 0) {
														goto L87;
													} else {
														goto L82;
													}
													do {
														L82:
														_t369 = E00401237(_t547,  *(_t563 + 0x34));
														__eflags = _t369;
														if(_t369 < 0) {
															_t370 = E00401282(_t547,  *(_t563 + 0x34));
															__eflags = _t370;
															if(_t370 < 0) {
																 *(_t563 - 4) = 0xd;
																E00408BC5(_t563 - 0x38);
																 *(_t563 - 4) = 4;
																E00408BC5(_t563 - 0x20);
																goto L94;
															}
															_t488 =  *((intOrPtr*)(_t563 + 0x5c));
															goto L86;
														}
														_t370 =  *( *((intOrPtr*)(_t547 + 0x20)) + 4 + _t369 * 8);
														_t488 =  *((intOrPtr*)(_t547 + 0x48));
														L86:
														E0040105E(_t563 - 0x20, _t488 + _t370 * 8);
														 *(_t563 + 0x3c) =  *(_t563 + 0x3c) + 1;
														 *(_t563 + 0x34) =  &(( *(_t563 + 0x34))[0]);
														__eflags =  *(_t563 + 0x3c) -  *(_t563 + 0x40);
													} while ( *(_t563 + 0x3c) <  *(_t563 + 0x40));
													goto L87;
												}
											} else {
												_t494 =  *(_t563 + 0x6c);
												__eflags = _t494;
												if(__eflags == 0) {
													 *(_t563 - 4) = 4;
													 *((intOrPtr*)( *_t360 + 8))(_t360);
													L94:
													_t558 = 0x80004005;
													goto L27;
												}
												 *(_t563 + 0x38) = 0;
												 *(_t563 - 4) = 0xa;
												_t547 =  *((intOrPtr*)( *_t494 + 0xc))(_t494, _t563 + 0x38);
												__eflags = _t547;
												if(_t547 != 0) {
													L95:
													__imp__#6( *(_t563 + 0x38));
													_t383 =  *(_t563 + 0x44);
													 *(_t563 - 4) = 4;
													__eflags = _t383;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t383 + 8))(_t383);
													}
													_t558 = _t547;
													goto L27;
												}
												 *((intOrPtr*)(_t563 + 0x14)) = 0x423364;
												 *((intOrPtr*)(_t563 + 0x18)) = 0;
												 *(_t563 + 0x1c) = 0;
												 *(_t563 - 4) = 0xb;
												 *((char*)( *((intOrPtr*)(_t563 + 0x70)))) = 1;
												E00401647(_t563 - 0x58, _t563,  *(_t563 + 0x38));
												_t551 =  *(_t563 - 0x54);
												 *(_t563 - 4) = 0xc;
												 *(_t563 + 0x40) = _t551 + _t551;
												E0040140A(_t563 + 0x14, _t563, _t551 + _t551);
												__eflags = _t551;
												if(__eflags <= 0) {
													L59:
													_t389 =  *(_t563 + 0x44);
													_t390 =  *((intOrPtr*)( *_t389 + 0xc))(_t389,  *(_t563 + 0x1c),  *(_t563 + 0x40));
													_push( *((intOrPtr*)(_t563 - 0x58)));
													_t547 = _t390;
													L00408BFB(0, _t547, _t556, __eflags);
													_push( *(_t563 + 0x1c));
													__eflags = _t547;
													if(__eflags != 0) {
														L00408BFB(0, _t547, _t556, __eflags);
														goto L95;
													}
													 *((intOrPtr*)(_t563 + 0x14)) = 0x423364;
													L00408BFB(0, _t547, _t556, __eflags);
													__imp__#6( *(_t563 + 0x38));
													_t360 =  *(_t563 + 0x44);
													goto L61;
												}
												_t504 =  *(_t563 + 0x1c);
												_t543 =  *((intOrPtr*)(_t563 - 0x58)) - _t504;
												__eflags = _t543;
												do {
													_t394 =  *(_t504 + _t543) & 0x0000ffff;
													 *_t504 = _t394;
													_t504[0] = _t394 >> 8;
													_t504 =  &(_t504[0]);
													_t551 = _t551 - 1;
													__eflags = _t551;
												} while (__eflags != 0);
												goto L59;
											}
										}
										_t508 =  *( *(_t563 + 0x3c) + 0xc);
										 *(_t563 + 0x40) = _t508;
										__eflags = _t508 - 0xffffffff;
										if(__eflags > 0) {
											 *(_t563 - 4) = 4;
											L79:
											 *((intOrPtr*)( *_t357 + 8))(_t357);
											L77:
											_t558 = 0x80004001;
											goto L27;
										}
										_t398 =  *((intOrPtr*)( *_t357 + 0xc))(_t357,  *((intOrPtr*)( *(_t563 + 0x3c) + 0x10)),  *(_t563 + 0x40));
										 *(_t563 + 0x40) = _t398;
										__eflags = _t398;
										_t357 =  *(_t563 + 0x24);
										if(_t398 != 0) {
											L70:
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t357 + 8))(_t357);
											}
											_t558 =  *(_t563 + 0x40);
											goto L27;
										}
										goto L51;
										L87:
										_t550 =  *(_t563 + 0x2c);
										 *((intOrPtr*)( *(_t556[0x1c]) + 8))(_t550,  *((intOrPtr*)(_t563 - 0x14)),  *((intOrPtr*)(_t563 - 0x2c)));
										 *(_t563 - 4) = 0xd;
										E00408BC5(_t563 - 0x38);
										 *(_t563 - 4) = 4;
										E00408BC5(_t563 - 0x20);
										_t547 = _t550 + 1;
										__eflags = _t547 -  *(_t563 + 0x28);
										 *(_t563 + 0x2c) = _t547;
									} while (_t547 <  *(_t563 + 0x28));
									goto L88;
								} else {
									goto L29;
								}
								while(1) {
									L29:
									_t547 =  *( *((intOrPtr*)( *(_t563 + 0x60) + 0xc)) +  *(_t563 + 0x44) * 4);
									 *(_t563 + 0x58) = 0;
									 *(_t563 + 0x50) = 0;
									_push(0);
									_push(_t563 + 0x50);
									_push(_t563 + 0x58);
									_push( *((intOrPtr*)(_t547 + 4)));
									 *(_t563 - 4) = 6;
									_push( *_t547);
									_t404 = E00409D4D( *(_t563 + 0x44), _t556, __eflags);
									 *(_t563 + 0x40) = _t404;
									__eflags = _t404;
									if(_t404 != 0) {
										break;
									}
									 *(_t563 + 0x38) = 0;
									__eflags =  *((intOrPtr*)(_t547 + 0x14)) - 1;
									 *(_t563 - 4) = 7;
									if( *((intOrPtr*)(_t547 + 0x14)) != 1) {
										L35:
										__eflags =  *(_t563 + 0x50);
										if( *(_t563 + 0x50) == 0) {
											_t357 =  *(_t563 + 0x58);
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(__eflags == 0) {
												goto L77;
											}
											goto L79;
										}
										E00406200(_t563 + 0x38,  *(_t563 + 0x50));
										__eflags = _t556[0x1a];
										if(__eflags != 0) {
											E00406D8E(_t556[0x1b], _t563, __eflags,  *(_t563 + 0x50));
										}
										L38:
										_push(_t563 + 0x38);
										E004014BA(0,  &(_t556[0x1e]), _t547, _t556, __eflags);
										_t410 =  *(_t563 + 0x38);
										 *(_t563 - 4) = 6;
										__eflags = _t410;
										if(_t410 != 0) {
											 *((intOrPtr*)( *_t410 + 8))(_t410);
										}
										_t411 =  *(_t563 + 0x50);
										 *(_t563 - 4) = 5;
										__eflags = _t411;
										if(_t411 != 0) {
											 *((intOrPtr*)( *_t411 + 8))(_t411);
										}
										_t412 =  *(_t563 + 0x58);
										 *(_t563 - 4) = 4;
										__eflags = _t412;
										if(_t412 != 0) {
											 *((intOrPtr*)( *_t412 + 8))(_t412);
										}
										 *(_t563 + 0x44) =  *(_t563 + 0x44) + 1;
										__eflags =  *(_t563 + 0x44) -  *(_t563 + 0x28);
										if(__eflags < 0) {
											continue;
										} else {
											goto L45;
										}
									}
									__eflags =  *((intOrPtr*)(_t547 + 0x18)) - 1;
									if( *((intOrPtr*)(_t547 + 0x18)) != 1) {
										goto L35;
									}
									_t521 =  *(_t563 + 0x58);
									__eflags = _t521;
									if(_t521 == 0) {
										_t418 =  *(_t563 + 0x50);
										 *(_t563 - 4) = 5;
										__eflags = _t418;
										if(_t418 != 0) {
											 *((intOrPtr*)( *_t418 + 8))(_t418);
											_t521 =  *(_t563 + 0x58);
										}
										 *(_t563 - 4) = 4;
										__eflags = _t521;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t521 + 8))(_t521);
										}
										goto L77;
									}
									E00406200(_t563 + 0x38, _t521);
									__eflags = _t556[0x1a];
									if(__eflags != 0) {
										E00406D69(_t556[0x1b], _t563, __eflags,  *(_t563 + 0x58));
									}
									goto L38;
								}
								_t405 =  *(_t563 + 0x50);
								 *(_t563 - 4) = 5;
								__eflags = _t405;
								if(_t405 != 0) {
									 *((intOrPtr*)( *_t405 + 8))(_t405);
								}
								_t357 =  *(_t563 + 0x58);
								goto L70;
							} else {
								_t558 = _t329;
								L27:
								 *(_t563 - 4) = 1;
								E0040136C(0, _t563 - 0xd8, _t547, _t558, __eflags);
								 *(_t563 - 4) = 0;
								E004013EF(_t563 - 0x74);
								 *(_t563 - 4) =  *(_t563 - 4) | 0xffffffff;
								E00401489(0, _t563, _t547, _t558, __eflags);
								_t346 = _t558;
								goto L2;
							}
						}
						_t547 =  &(_t556[1]);
						_t429 = E004012A6(_t457,  &(_t556[1]), _t563 - 0xd8);
						_t556 =  *(_t563 + 0x34);
						asm("sbb al, al");
						__eflags =  ~_t429 + 1;
						if( ~_t429 + 1 == 0) {
							goto L46;
						}
						goto L17;
					} else {
						goto L4;
					}
					do {
						L4:
						_t432 = E00408BD0(0, _t545, __eflags, 0x18);
						__eflags = _t432;
						if(_t432 == 0) {
							_t561 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t432 + 4)) = 0;
							 *_t432 = 0x423334;
							_t561 = _t432;
						}
						E0040222C(_t563 + 0x30, _t561);
						 *((intOrPtr*)(_t561 + 8)) = _t563 - 0x74;
						 *((intOrPtr*)(_t561 + 0x10)) =  *((intOrPtr*)(_t563 + 0x54));
						 *(_t561 + 0x14) =  *(_t563 + 0x58);
						_t553 =  *((intOrPtr*)(_t563 + 0x5c)) +  *(_t563 + 0x50) * 8;
						 *((intOrPtr*)(_t563 + 0x54)) =  *((intOrPtr*)(_t563 + 0x54)) +  *_t553;
						asm("adc [ebp+0x58], eax");
						 *(_t563 - 4) = 2;
						_t440 = E00408BD0(0, _t553, __eflags, 0x28);
						__eflags = _t440;
						if(_t440 == 0) {
							_t562 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t440 + 4)) = 0;
							 *_t440 = 0x4233a8;
							 *((intOrPtr*)(_t440 + 8)) = 0;
							_t562 = _t440;
						}
						E0040222C(_t563 + 0x2c, _t562);
						_t37 = _t562 + 8; // 0x8
						 *(_t563 - 4) = 3;
						E00406200(_t37,  *(_t563 + 0x30));
						_t545 =  *((intOrPtr*)(_t553 + 4));
						 *((intOrPtr*)(_t562 + 0x10)) =  *_t553;
						_push(_t563 + 0x2c);
						 *((intOrPtr*)(_t562 + 0x14)) =  *((intOrPtr*)(_t553 + 4));
						 *((intOrPtr*)(_t562 + 0x18)) = 0;
						 *((intOrPtr*)(_t562 + 0x1c)) = 0;
						 *((char*)(_t562 + 0x20)) = 0;
						E004014BA(0, _t563,  *((intOrPtr*)(_t553 + 4)), _t562, __eflags);
						_t446 =  *(_t563 + 0x2c);
						 *(_t563 - 4) = 2;
						__eflags = _t446;
						if(_t446 != 0) {
							 *((intOrPtr*)( *_t446 + 8))(_t446);
						}
						_t447 =  *(_t563 + 0x30);
						 *(_t563 - 4) = 1;
						__eflags = _t447;
						if(_t447 != 0) {
							 *((intOrPtr*)( *_t447 + 8))(_t447);
						}
						 *(_t563 + 0x50) =  *(_t563 + 0x50) + 1;
						__eflags =  *(_t563 + 0x50) -  *((intOrPtr*)( *(_t563 + 0x60) + 0x30));
					} while (__eflags < 0);
					goto L15;
				} else {
					_t346 = 0x80004001;
					L2:
					 *[fs:0x0] =  *((intOrPtr*)(_t563 - 0xc));
					return _t346;
				}
			}



















































                                                            0x00401adb
                                                            0x00401adb
                                                            0x00401adf
                                                            0x00401ae9
                                                            0x00401aee
                                                            0x00401af1
                                                            0x00401afd
                                                            0x00401b1e
                                                            0x00401b20
                                                            0x00401b23
                                                            0x00401b26
                                                            0x00401b29
                                                            0x00401b30
                                                            0x00401b3a
                                                            0x00401b3b
                                                            0x00401b3e
                                                            0x00401b41
                                                            0x00401b4c
                                                            0x00401b50
                                                            0x00401b58
                                                            0x00401b5a
                                                            0x00401b5d
                                                            0x00401c3b
                                                            0x00401c41
                                                            0x00401c47
                                                            0x00401c4a
                                                            0x00401c56
                                                            0x00401c5a
                                                            0x00401c5f
                                                            0x00401c62
                                                            0x00401c64
                                                            0x00401c85
                                                            0x00401c88
                                                            0x00401c8d
                                                            0x00401c92
                                                            0x00401c97
                                                            0x00401c9a
                                                            0x00401ca1
                                                            0x00401ca7
                                                            0x00401ca9
                                                            0x00401cb4
                                                            0x00401cb4
                                                            0x00401cab
                                                            0x00401cad
                                                            0x00401cad
                                                            0x00401cb9
                                                            0x00401cbc
                                                            0x00401cc1
                                                            0x00401cc4
                                                            0x00401cc6
                                                            0x00401ccd
                                                            0x00401ccd
                                                            0x00401cc8
                                                            0x00401cc8
                                                            0x00401cc8
                                                            0x00401ccf
                                                            0x00401ccf
                                                            0x00401cde
                                                            0x00401ce0
                                                            0x00401ce2
                                                            0x00401d13
                                                            0x00401d16
                                                            0x00401d19
                                                            0x00401dfe
                                                            0x00401e08
                                                            0x00401e0d
                                                            0x00401e10
                                                            0x00401e15
                                                            0x00401e18
                                                            0x00401e1b
                                                            0x00401e1e
                                                            0x00401e21
                                                            0x00401e24
                                                            0x004020f6
                                                            0x0040210c
                                                            0x00402111
                                                            0x00402114
                                                            0x0040211c
                                                            0x0040211c
                                                            0x0040211f
                                                            0x00402122
                                                            0x0040218c
                                                            0x0040218f
                                                            0x00402192
                                                            0x00402195
                                                            0x0040219c
                                                            0x004021a9
                                                            0x004021ad
                                                            0x004021b2
                                                            0x004021b4
                                                            0x004021b7
                                                            0x004021cf
                                                            0x004021d5
                                                            0x004021e2
                                                            0x004021f2
                                                            0x004021f4
                                                            0x004021f8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004021b9
                                                            0x004021b9
                                                            0x004021c4
                                                            0x004021c9
                                                            0x004021ca
                                                            0x004021ca
                                                            0x00000000
                                                            0x00402124
                                                            0x00402124
                                                            0x00000000
                                                            0x00402124
                                                            0x00402122
                                                            0x00401e2a
                                                            0x00401e2d
                                                            0x00401e3c
                                                            0x00401e45
                                                            0x00401e48
                                                            0x00401e4b
                                                            0x00401e59
                                                            0x00401e5d
                                                            0x00401e5f
                                                            0x00401e62
                                                            0x00401e64
                                                            0x00401e96
                                                            0x00401e96
                                                            0x00401e9a
                                                            0x00401e9c
                                                            0x00401ea1
                                                            0x00401ea1
                                                            0x00401ea4
                                                            0x00401ea7
                                                            0x00401eb5
                                                            0x00401eb9
                                                            0x00401ebb
                                                            0x00401ebe
                                                            0x00401ec0
                                                            0x00401f7f
                                                            0x00401f7f
                                                            0x00401f83
                                                            0x00401f85
                                                            0x00401f8a
                                                            0x00401f8a
                                                            0x00401f8d
                                                            0x00401f93
                                                            0x00401f98
                                                            0x00401f99
                                                            0x00401fa1
                                                            0x00401fa4
                                                            0x00401fa7
                                                            0x00401faa
                                                            0x00401fad
                                                            0x00401fb0
                                                            0x00401fb3
                                                            0x00401fb6
                                                            0x00401fb9
                                                            0x00401fbc
                                                            0x00401fbf
                                                            0x00401fc6
                                                            0x00401fca
                                                            0x00401fd3
                                                            0x00401fd8
                                                            0x00401fda
                                                            0x0040206b
                                                            0x00000000
                                                            0x00401fe0
                                                            0x00401fe0
                                                            0x00401fe3
                                                            0x00401fe6
                                                            0x00401ff3
                                                            0x00401ff8
                                                            0x00401ffb
                                                            0x00401ffb
                                                            0x00401ffb
                                                            0x00401ffb
                                                            0x0040206e
                                                            0x0040206e
                                                            0x00402071
                                                            0x00402074
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00402076
                                                            0x00402076
                                                            0x0040207b
                                                            0x00402080
                                                            0x00402082
                                                            0x00402095
                                                            0x0040209a
                                                            0x0040209c
                                                            0x00402175
                                                            0x00402179
                                                            0x00402181
                                                            0x00402185
                                                            0x00000000
                                                            0x00402185
                                                            0x004020a2
                                                            0x00000000
                                                            0x004020a2
                                                            0x00402087
                                                            0x0040208b
                                                            0x004020a5
                                                            0x004020ac
                                                            0x004020b1
                                                            0x004020b7
                                                            0x004020ba
                                                            0x004020ba
                                                            0x00000000
                                                            0x00402076
                                                            0x00401ec6
                                                            0x00401ec6
                                                            0x00401ec9
                                                            0x00401ecb
                                                            0x00402137
                                                            0x0040213b
                                                            0x0040213e
                                                            0x0040213e
                                                            0x00000000
                                                            0x0040213e
                                                            0x00401ed1
                                                            0x00401edb
                                                            0x00401ee2
                                                            0x00401ee4
                                                            0x00401ee6
                                                            0x00402148
                                                            0x0040214b
                                                            0x00402151
                                                            0x00402154
                                                            0x00402158
                                                            0x0040215a
                                                            0x0040215f
                                                            0x0040215f
                                                            0x00402162
                                                            0x00000000
                                                            0x00402162
                                                            0x00401eec
                                                            0x00401ef3
                                                            0x00401ef6
                                                            0x00401f02
                                                            0x00401f06
                                                            0x00401f09
                                                            0x00401f0e
                                                            0x00401f18
                                                            0x00401f1c
                                                            0x00401f1f
                                                            0x00401f24
                                                            0x00401f26
                                                            0x00401f41
                                                            0x00401f44
                                                            0x00401f4d
                                                            0x00401f50
                                                            0x00401f53
                                                            0x00401f55
                                                            0x00401f5a
                                                            0x00401f5d
                                                            0x00401f5f
                                                            0x00402169
                                                            0x00000000
                                                            0x0040216f
                                                            0x00401f65
                                                            0x00401f6c
                                                            0x00401f76
                                                            0x00401f7c
                                                            0x00000000
                                                            0x00401f7c
                                                            0x00401f28
                                                            0x00401f2e
                                                            0x00401f2e
                                                            0x00401f30
                                                            0x00401f30
                                                            0x00401f34
                                                            0x00401f39
                                                            0x00401f3d
                                                            0x00401f3e
                                                            0x00401f3e
                                                            0x00401f3e
                                                            0x00000000
                                                            0x00401f30
                                                            0x00401ec0
                                                            0x00401e69
                                                            0x00401e6c
                                                            0x00401e6f
                                                            0x00401e72
                                                            0x0040212b
                                                            0x00402063
                                                            0x00402066
                                                            0x0040204e
                                                            0x0040204e
                                                            0x00000000
                                                            0x0040204e
                                                            0x00401e85
                                                            0x00401e88
                                                            0x00401e8b
                                                            0x00401e8d
                                                            0x00401e90
                                                            0x00402016
                                                            0x00402016
                                                            0x0040201a
                                                            0x0040201c
                                                            0x00402021
                                                            0x00402021
                                                            0x00402024
                                                            0x00000000
                                                            0x00402024
                                                            0x00000000
                                                            0x004020bf
                                                            0x004020c8
                                                            0x004020ce
                                                            0x004020d4
                                                            0x004020d8
                                                            0x004020e0
                                                            0x004020e4
                                                            0x004020e9
                                                            0x004020ea
                                                            0x004020ed
                                                            0x004020ed
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00401d1f
                                                            0x00401d1f
                                                            0x00401d28
                                                            0x00401d2b
                                                            0x00401d2e
                                                            0x00401d31
                                                            0x00401d35
                                                            0x00401d39
                                                            0x00401d3a
                                                            0x00401d3d
                                                            0x00401d41
                                                            0x00401d43
                                                            0x00401d48
                                                            0x00401d4b
                                                            0x00401d4d
                                                            0x00000000
                                                            0x00000000
                                                            0x00401d53
                                                            0x00401d56
                                                            0x00401d5a
                                                            0x00401d5e
                                                            0x00401d8c
                                                            0x00401d8c
                                                            0x00401d8f
                                                            0x00402058
                                                            0x0040205b
                                                            0x0040205f
                                                            0x00402061
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00402061
                                                            0x00401d9b
                                                            0x00401da0
                                                            0x00401da3
                                                            0x00401dab
                                                            0x00401dab
                                                            0x00401db0
                                                            0x00401db3
                                                            0x00401db7
                                                            0x00401dbc
                                                            0x00401dbf
                                                            0x00401dc3
                                                            0x00401dc5
                                                            0x00401dca
                                                            0x00401dca
                                                            0x00401dcd
                                                            0x00401dd0
                                                            0x00401dd4
                                                            0x00401dd6
                                                            0x00401ddb
                                                            0x00401ddb
                                                            0x00401dde
                                                            0x00401de1
                                                            0x00401de5
                                                            0x00401de7
                                                            0x00401dec
                                                            0x00401dec
                                                            0x00401def
                                                            0x00401df5
                                                            0x00401df8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00401df8
                                                            0x00401d60
                                                            0x00401d64
                                                            0x00000000
                                                            0x00000000
                                                            0x00401d66
                                                            0x00401d69
                                                            0x00401d6b
                                                            0x0040202c
                                                            0x0040202f
                                                            0x00402033
                                                            0x00402035
                                                            0x0040203a
                                                            0x0040203d
                                                            0x0040203d
                                                            0x00402040
                                                            0x00402044
                                                            0x00402046
                                                            0x0040204b
                                                            0x0040204b
                                                            0x00000000
                                                            0x00402046
                                                            0x00401d75
                                                            0x00401d7a
                                                            0x00401d7d
                                                            0x00401d85
                                                            0x00401d85
                                                            0x00000000
                                                            0x00401d7d
                                                            0x00402002
                                                            0x00402005
                                                            0x00402009
                                                            0x0040200b
                                                            0x00402010
                                                            0x00402010
                                                            0x00402013
                                                            0x00000000
                                                            0x00401ce4
                                                            0x00401ce4
                                                            0x00401ce6
                                                            0x00401cec
                                                            0x00401cf0
                                                            0x00401cf8
                                                            0x00401cfb
                                                            0x00401d00
                                                            0x00401d07
                                                            0x00401d0c
                                                            0x00000000
                                                            0x00401d0c
                                                            0x00401ce2
                                                            0x00401c68
                                                            0x00401c71
                                                            0x00401c76
                                                            0x00401c7b
                                                            0x00401c7d
                                                            0x00401c7f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00401b63
                                                            0x00401b63
                                                            0x00401b65
                                                            0x00401b6b
                                                            0x00401b6d
                                                            0x00401b7c
                                                            0x00401b7c
                                                            0x00401b6f
                                                            0x00401b6f
                                                            0x00401b72
                                                            0x00401b78
                                                            0x00401b78
                                                            0x00401b82
                                                            0x00401b8d
                                                            0x00401b93
                                                            0x00401b99
                                                            0x00401b9f
                                                            0x00401ba4
                                                            0x00401bac
                                                            0x00401baf
                                                            0x00401bb3
                                                            0x00401bb9
                                                            0x00401bbb
                                                            0x00401bcd
                                                            0x00401bcd
                                                            0x00401bbd
                                                            0x00401bbd
                                                            0x00401bc0
                                                            0x00401bc6
                                                            0x00401bc9
                                                            0x00401bc9
                                                            0x00401bd3
                                                            0x00401bdb
                                                            0x00401bde
                                                            0x00401be2
                                                            0x00401be9
                                                            0x00401bec
                                                            0x00401bf2
                                                            0x00401bf6
                                                            0x00401bf9
                                                            0x00401bfc
                                                            0x00401bff
                                                            0x00401c02
                                                            0x00401c07
                                                            0x00401c0a
                                                            0x00401c0e
                                                            0x00401c10
                                                            0x00401c15
                                                            0x00401c15
                                                            0x00401c18
                                                            0x00401c1b
                                                            0x00401c1f
                                                            0x00401c21
                                                            0x00401c26
                                                            0x00401c26
                                                            0x00401c29
                                                            0x00401c32
                                                            0x00401c32
                                                            0x00000000
                                                            0x00401aff
                                                            0x00401aff
                                                            0x00401b04
                                                            0x00401b07
                                                            0x00401b16
                                                            0x00401b16

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00401AE9
                                                              • Part of subcall function 004041D7: __EH_prolog3.LIBCMT ref: 004041E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: d3B
                                                            • API String ID: 431132790-3693543266
                                                            • Opcode ID: d8afe6f6ff4891dc18ce29e9ffc2b2caf8244958c7e486e4a2347d26cb19dee7
                                                            • Instruction ID: fe56a826ab4fa0c4caee881864b3562cd941cd1960334c3267d892546610e000
                                                            • Opcode Fuzzy Hash: d8afe6f6ff4891dc18ce29e9ffc2b2caf8244958c7e486e4a2347d26cb19dee7
                                                            • Instruction Fuzzy Hash: 23424871900289DFCB14DFA4C984A9DBBB1BF08304F24446EF94AA73A1CB79EE45CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417ABB, Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1151 417abb-417acd 1152 417aeb-417b03 call 41871a call 41ae0d 1151->1152 1153 417acf-417ae9 call 41ad48 call 41b335 1151->1153 1163 417b05-417b27 call 418908 call 4187a8 1152->1163 1164 417b4f-417b59 call 4174de 1152->1164 1162 417b67-417b6a 1153->1162 1175 417b29 1163->1175 1176 417b2c-417b44 CreateThread 1163->1176 1170 417b64 1164->1170 1171 417b5b-417b63 call 41ad6e 1164->1171 1174 417b66 1170->1174 1171->1170 1174->1162 1175->1176 1176->1174 1178 417b46-417b4c GetLastError 1176->1178 1178->1164
                                                            C-Code - Quality: 73%
                                                            			E00417ABB(void* __edx, void* __esi, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				DWORD* _v8;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t20;
				DWORD* _t25;
				intOrPtr* _t27;
				char _t41;
				void* _t44;

				_t41 = _a12;
				_v8 = 0;
				_t48 = _t41;
				if(_t41 != 0) {
					_push(__esi);
					E0041871A();
					_t44 = E0041AE0D(1, 0x214);
					__eflags = _t44;
					if(__eflags == 0) {
						L7:
						_push(_t44);
						E004174DE(0, _t41, _t44, __eflags);
						__eflags = _v8;
						if(_v8 != 0) {
							E0041AD6E(_v8);
						}
						_t20 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, __edx, _t41, __eflags) + 0x6c)));
						_push(_t44);
						E004187A8(0, _t41, _t44, __eflags);
						 *(_t44 + 4) =  *(_t44 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t44 + 0x58)) = _a16;
						_t25 = _a24;
						 *((intOrPtr*)(_t44 + 0x54)) = _t41;
						__eflags = _t25;
						if(_t25 == 0) {
							_t25 =  &_a12;
						}
						_t20 = CreateThread(_a4, _a8, E00417A38, _t44, _a20, _t25); // executed
						__eflags = _t20;
						if(__eflags == 0) {
							_v8 = GetLastError();
							goto L7;
						}
					}
				} else {
					_t27 = E0041AD48(_t48);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t27 = 0x16;
					E0041B335(__edx, _t41, __esi);
					_t20 = 0;
				}
				return _t20;
			}












                                                            0x00417ac3
                                                            0x00417ac8
                                                            0x00417acb
                                                            0x00417acd
                                                            0x00417aeb
                                                            0x00417aec
                                                            0x00417afd
                                                            0x00417b01
                                                            0x00417b03
                                                            0x00417b4f
                                                            0x00417b4f
                                                            0x00417b50
                                                            0x00417b56
                                                            0x00417b59
                                                            0x00417b5e
                                                            0x00417b63
                                                            0x00417b64
                                                            0x00417b64
                                                            0x00417b05
                                                            0x00417b0a
                                                            0x00417b0d
                                                            0x00417b0e
                                                            0x00417b16
                                                            0x00417b1a
                                                            0x00417b1d
                                                            0x00417b22
                                                            0x00417b25
                                                            0x00417b27
                                                            0x00417b29
                                                            0x00417b29
                                                            0x00417b3c
                                                            0x00417b42
                                                            0x00417b44
                                                            0x00417b4c
                                                            0x00000000
                                                            0x00417b4c
                                                            0x00417b44
                                                            0x00417acf
                                                            0x00417acf
                                                            0x00417ad4
                                                            0x00417ad5
                                                            0x00417ad6
                                                            0x00417ad7
                                                            0x00417ad8
                                                            0x00417ad9
                                                            0x00417adf
                                                            0x00417ae7
                                                            0x00417ae7
                                                            0x00417b6a

                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 00417AEC
                                                            • __calloc_crt.LIBCMT ref: 00417AF8
                                                            • __getptd.LIBCMT ref: 00417B05
                                                            • CreateThread.KERNELBASE(?,?,00417A38,00000000,?,?), ref: 00417B3C
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417B46
                                                            • __dosmaperr.LIBCMT ref: 00417B5E
                                                              • Part of subcall function 0041AD48: __getptd_noexit.LIBCMT ref: 0041AD48
                                                              • Part of subcall function 0041B335: __decode_pointer.LIBCMT ref: 0041B340
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1803633139-0
                                                            • Opcode ID: bd57337042e369ada8254afdd92a6befe6d8931571a8e1857cc31b4486f3c813
                                                            • Instruction ID: 20030da27661398e7b4bd22b816fad984296ffe35ec401903591d51bcc064354
                                                            • Opcode Fuzzy Hash: bd57337042e369ada8254afdd92a6befe6d8931571a8e1857cc31b4486f3c813
                                                            • Instruction Fuzzy Hash: F111C872909204AFCB10BFA5DC828DF77B5EF04368B20402FF51597191DB79AA918B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004109DE, Relevance: 7.6, APIs: 5, Instructions: 53filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1179 4109de-410a0f call 416b21 CreateFileW 1182 410a11-410a2b call 40320a call 409876 1179->1182 1183 410a48-410a4e 1179->1183 1192 410a2d-410a3c CreateFileW 1182->1192 1193 410a3f-410a47 call 408bfb 1182->1193 1185 410a70-410a77 call 416bf9 1183->1185 1186 410a50-410a6a SetFileTime FindCloseChangeNotification 1183->1186 1186->1185 1192->1193 1193->1183
                                                            C-Code - Quality: 88%
                                                            			E004109DE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				int _t24;
				void* _t28;
				signed int _t33;
				void* _t39;
				void* _t40;

				_push(0x10);
				E00416B21(E00421C6C, __ebx, __edi, __esi);
				_t39 = CreateFileW;
				_t21 = CreateFileW( *(_t40 + 8), 0x40000000, 3, 0, 3, 0x2000000, 0); // executed
				 *(_t40 - 0x10) = _t21;
				_t42 = _t21 - 0xffffffff;
				if(_t21 == 0xffffffff) {
					E0040320A(_t40 - 0x1c);
					 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
					_t28 = E00409876(_t42,  *(_t40 + 8), _t40 - 0x1c);
					_t43 = _t28;
					if(_t28 != 0) {
						 *(_t40 - 0x10) = CreateFileW( *(_t40 - 0x1c), 0x40000000, 3, 0, 3, 0x2000000, 0);
					}
					_push( *(_t40 - 0x1c));
					L00408BFB(0x2000000, 0x40000000, _t39, _t43);
				}
				_t33 = 0;
				if( *(_t40 - 0x10) != 0xffffffff) {
					_t24 = SetFileTime( *(_t40 - 0x10),  *(_t40 + 0xc),  *(_t40 + 0x10),  *(_t40 + 0x14)); // executed
					_t33 = 0 | _t24 != 0x00000000;
					FindCloseChangeNotification( *(_t40 - 0x10)); // executed
				}
				return E00416BF9(_t33);
			}









                                                            0x004109de
                                                            0x004109e5
                                                            0x004109ea
                                                            0x00410a07
                                                            0x00410a09
                                                            0x00410a0c
                                                            0x00410a0f
                                                            0x00410a14
                                                            0x00410a19
                                                            0x00410a24
                                                            0x00410a29
                                                            0x00410a2b
                                                            0x00410a3c
                                                            0x00410a3c
                                                            0x00410a3f
                                                            0x00410a42
                                                            0x00410a47
                                                            0x00410a48
                                                            0x00410a4e
                                                            0x00410a5c
                                                            0x00410a67
                                                            0x00410a6a
                                                            0x00410a6a
                                                            0x00410a77

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 004109E5
                                                            • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,00000010), ref: 00410A07
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 00410A3A
                                                            • SetFileTime.KERNELBASE(000000FF,?,000000FF,?), ref: 00410A5C
                                                            • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00410A6A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: File$Create$ChangeCloseFindH_prolog3NotificationTime
                                                            • String ID:
                                                            • API String ID: 617186795-0
                                                            • Opcode ID: bc39a54a1b828aed2b943b5f512252c6bdd0e7999e1584c50203e6193bebcbfb
                                                            • Instruction ID: 3613f7cd525b14c886710ac5f4de7458b184cc3a0c0b6e5d5c1753a367fab2e1
                                                            • Opcode Fuzzy Hash: bc39a54a1b828aed2b943b5f512252c6bdd0e7999e1584c50203e6193bebcbfb
                                                            • Instruction Fuzzy Hash: E8118231940219BBDF119F60DC01FEE7B79AF04714F10852AB6206A1E1C7B99A51DB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004174DE, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1196 4174de-4174ef call 417b6c 1199 4174f1-4174f8 1196->1199 1200 417566-41756b call 417bb1 1196->1200 1201 4174fa-417512 call 419ea7 call 419eda 1199->1201 1202 41753d 1199->1202 1214 417514-41751c call 419f0a 1201->1214 1215 41751d-41752d call 417534 1201->1215 1204 41753e-41754e RtlFreeHeap 1202->1204 1204->1200 1207 417550-417565 call 41ad48 GetLastError call 41ad06 1204->1207 1207->1200 1214->1215 1215->1200 1221 41752f-417532 1215->1221 1221->1204
                                                            C-Code - Quality: 30%
                                                            			E004174DE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x42a450);
				_t8 = E00417B6C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E00417BB1(_t8);
				}
				if( *0x4342d8 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x430e7c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E0041AD48(_t31);
						 *_t10 = E0041AD06(GetLastError());
					}
					goto L9;
				}
				E00419EA7(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E00419EDA(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E00419F0A();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E00417534();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                                                            0x004174de
                                                            0x004174e0
                                                            0x004174e5
                                                            0x004174ea
                                                            0x004174ef
                                                            0x00417566
                                                            0x0041756b
                                                            0x0041756b
                                                            0x004174f8
                                                            0x0041753d
                                                            0x0041753e
                                                            0x0041753e
                                                            0x00417546
                                                            0x0041754c
                                                            0x0041754e
                                                            0x00417550
                                                            0x00417563
                                                            0x00417565
                                                            0x00000000
                                                            0x0041754e
                                                            0x004174fc
                                                            0x00417502
                                                            0x00417507
                                                            0x0041750d
                                                            0x00417512
                                                            0x00417514
                                                            0x00417515
                                                            0x00417516
                                                            0x0041751c
                                                            0x0041751d
                                                            0x00417524
                                                            0x0041752d
                                                            0x00000000
                                                            0x0041752f
                                                            0x0041752f
                                                            0x00000000
                                                            0x0041752f

                                                            APIs
                                                            • __lock.LIBCMT ref: 004174FC
                                                              • Part of subcall function 00419EA7: __mtinitlocknum.LIBCMT ref: 00419EBD
                                                              • Part of subcall function 00419EA7: __amsg_exit.LIBCMT ref: 00419EC9
                                                              • Part of subcall function 00419EA7: EnterCriticalSection.KERNEL32(?,?,?,004189B3,0000000D,0042A540,00000008,00417A97,?,00000000), ref: 00419ED1
                                                            • ___sbh_find_block.LIBCMT ref: 00417507
                                                            • ___sbh_free_block.LIBCMT ref: 00417516
                                                            • RtlFreeHeap.NTDLL(00000000,?,0042A450,0000000C,004188F9,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C), ref: 00417546
                                                            • GetLastError.KERNEL32(?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C,00419EC2,?,?,?,004189B3,0000000D), ref: 00417557
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                            • String ID:
                                                            • API String ID: 2714421763-0
                                                            • Opcode ID: b015da1727d326e449cd797088a92338f16aa03c9485e9cd3d673cd42b4f956c
                                                            • Instruction ID: 64add48afb761cb90f48c248a03a0627652d4b19cf23b5e5f4340693ef6873dd
                                                            • Opcode Fuzzy Hash: b015da1727d326e449cd797088a92338f16aa03c9485e9cd3d673cd42b4f956c
                                                            • Instruction Fuzzy Hash: BA018F31909305BADB20AF71AD0ABDE3A759F017A9F60015FF414A66D1CB3C9AC08A6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410B45, Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1222 410b45-410b60 call 416b21 CreateDirectoryW 1225 410b62-410b64 1222->1225 1226 410b66-410b71 GetLastError 1222->1226 1227 410bb3-410bb8 call 416bf9 1225->1227 1228 410bb1 1226->1228 1229 410b73-410b8d call 40320a call 409876 1226->1229 1228->1227 1236 410ba8-410bb0 call 408bfb 1229->1236 1237 410b8f-410ba6 CreateDirectoryW call 408bfb 1229->1237 1236->1228 1237->1227
                                                            C-Code - Quality: 85%
                                                            			E00410B45(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t14;
				long _t15;
				signed int _t16;
				int _t22;
				signed int _t23;
				int _t31;
				void* _t32;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t14 = CreateDirectoryW( *(_t32 + 8), 0); // executed
				if(_t14 == 0) {
					_t15 = GetLastError();
					__eflags = _t15 - 0xb7;
					if(_t15 == 0xb7) {
						L6:
						_t16 = 0;
						__eflags = 0;
					} else {
						E0040320A(_t32 - 0x18);
						 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
						__eflags = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
						if(__eflags == 0) {
							_push( *(_t32 - 0x18));
							L00408BFB(__ebx, __edi, CreateDirectoryW, __eflags);
							goto L6;
						} else {
							_t22 = CreateDirectoryW( *(_t32 - 0x18), 0);
							_push( *(_t32 - 0x18));
							_t31 = _t22;
							_t23 = L00408BFB(__ebx, __edi, _t31, __eflags);
							__eflags = _t31;
							_t16 = _t23 & 0xffffff00 | _t31 != 0x00000000;
						}
					}
				} else {
					_t16 = 1;
				}
				return E00416BF9(_t16);
			}










                                                            0x00410b45
                                                            0x00410b4c
                                                            0x00410b5c
                                                            0x00410b60
                                                            0x00410b66
                                                            0x00410b6c
                                                            0x00410b71
                                                            0x00410bb1
                                                            0x00410bb1
                                                            0x00410bb1
                                                            0x00410b73
                                                            0x00410b76
                                                            0x00410b7b
                                                            0x00410b8b
                                                            0x00410b8d
                                                            0x00410ba8
                                                            0x00410bab
                                                            0x00000000
                                                            0x00410b8f
                                                            0x00410b94
                                                            0x00410b96
                                                            0x00410b99
                                                            0x00410b9b
                                                            0x00410ba0
                                                            0x00410ba3
                                                            0x00410ba3
                                                            0x00410b8d
                                                            0x00410b62
                                                            0x00410b62
                                                            0x00410b62
                                                            0x00410bb8

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410B4C
                                                            • CreateDirectoryW.KERNELBASE(?,00000000,0000000C), ref: 00410B5C
                                                            • GetLastError.KERNEL32 ref: 00410B66
                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00410B94
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$ErrorH_prolog3Last
                                                            • String ID:
                                                            • API String ID: 2304068239-0
                                                            • Opcode ID: 7a2c59161908c7af8dd5fbba20bf608b546bdd534924d1f9c24e27307d0436b8
                                                            • Instruction ID: 172f9d72519d5a2fa44a3033f577515c06ab2bcbe3982b179992f9fb810241dd
                                                            • Opcode Fuzzy Hash: 7a2c59161908c7af8dd5fbba20bf608b546bdd534924d1f9c24e27307d0436b8
                                                            • Instruction Fuzzy Hash: 60F08131904215ABDF10AB91CD02BEE7F319F10715F51406AAA00661E2CB78EAD2969D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004179BA, Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1242 4179ba-4179c6 1243 4179c8-4179d5 call 41afe0 1242->1243 1244 4179dd-4179e4 call 41888f 1242->1244 1243->1244 1249 4179d7 1243->1249 1250 4179e6-4179e7 call 418a51 1244->1250 1251 4179ed-4179f0 ExitThread 1244->1251 1249->1244 1253 4179ec 1250->1253 1253->1251
                                                            C-Code - Quality: 75%
                                                            			E004179BA(long _a4) {
				void* _t6;
				void* _t9;
				void* _t10;

				_t11 =  *0x4342fc;
				if( *0x4342fc != 0 && E0041AFE0(_t11, 0x4342fc) != 0) {
					 *0x4342fc();
				}
				if(E0041888F(_t6) != 0) {
					E00418A51(_t6, _t9, _t10, _t2); // executed
				}
				ExitThread(_a4);
			}






                                                            0x004179bf
                                                            0x004179c6
                                                            0x004179d7
                                                            0x004179d7
                                                            0x004179e4
                                                            0x004179e7
                                                            0x004179ec
                                                            0x004179f0

                                                            APIs
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004179CD
                                                              • Part of subcall function 0041AFE0: __FindPESection.LIBCMT ref: 0041B03B
                                                            • __getptd_noexit.LIBCMT ref: 004179DD
                                                            • __freeptd.LIBCMT ref: 004179E7
                                                            • ExitThread.KERNEL32 ref: 004179F0
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 3182216644-0
                                                            • Opcode ID: 248dff81f2ed47bffa5431741d82cf7db17d51ce89a6d991ca8d81712fb1923e
                                                            • Instruction ID: 74958c9a6b692f66c632ff5e924dfbe5784b6134d24ea96b71ae755472240e2c
                                                            • Opcode Fuzzy Hash: 248dff81f2ed47bffa5431741d82cf7db17d51ce89a6d991ca8d81712fb1923e
                                                            • Instruction Fuzzy Hash: D2D0C27010420557E7103BA7DC0EBE736686F403D0F94402BB404900A0DE2CECD1C92D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040BD49, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 288COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1254 40bd49-40bd91 call 416b21 call 402b01 call 40908d call 40320a call 4099b4 1265 40bd93-40bdb6 call 408826 call 408639 call 408bfb 1254->1265 1266 40bdb7-40bdd5 1254->1266 1265->1266 1267 40bde7-40bdf2 1266->1267 1268 40bdd7-40bde2 call 40105e 1266->1268 1271 40bdf4-40be0c call 40b987 1267->1271 1272 40be29-40be2c 1267->1272 1277 40be6b-40be71 1268->1277 1286 40be1b call 40105e 1271->1286 1287 40be0e-40be19 call 40b786 1271->1287 1272->1277 1278 40be2e-40be32 1272->1278 1283 40be77-40be7c 1277->1283 1284 40bf39-40bf3b 1277->1284 1279 40be61-40be66 call 408a4d 1278->1279 1280 40be34 1278->1280 1279->1277 1285 40be39-40be5e call 408bc5 call 408bfb * 2 call 416bf9 1280->1285 1290 40be90-40beb4 call 40b9bb 1283->1290 1291 40be7e-40be85 call 409f8a 1283->1291 1295 40bf41-40bf43 1284->1295 1302 40be20-40be27 1286->1302 1287->1302 1304 40bf48-40bf51 1290->1304 1305 40beba-40bebf 1290->1305 1298 40be88-40be8a 1291->1298 1295->1285 1298->1290 1298->1295 1302->1271 1302->1272 1304->1285 1309 40bf57-40bf5d 1304->1309 1307 40bec1-40bec5 1305->1307 1308 40bec7-40beca 1305->1308 1311 40bf2a-40bf33 1307->1311 1312 40bee1-40befb 1308->1312 1313 40becc-40bed9 1308->1313 1309->1285 1311->1283 1311->1284 1321 40bf62-40bf6c 1312->1321 1322 40befd-40bf11 1312->1322 1371 40beda call 403975 1313->1371 1372 40beda call 40469f 1313->1372 1317 40bedd-40bedf 1320 40bf19-40bf1c 1317->1320 1323 40bf71-40bf73 1320->1323 1324 40bf1e-40bf28 1320->1324 1321->1323 1322->1320 1329 40bf13-40bf15 1322->1329 1326 40bf75-40bf81 1323->1326 1327 40bf86-40bfa5 1323->1327 1324->1311 1326->1285 1333 40bfa7-40bfaf 1327->1333 1334 40bfbf-40bfe3 call 409a4a call 406200 1327->1334 1329->1320 1335 40bfb1 1333->1335 1336 40bfb6-40bfba call 4090ca 1333->1336 1342 40c043-40c050 call 40b987 1334->1342 1343 40bfe5-40c041 call 401647 * 2 call 40b72f call 408639 call 408bfb * 3 1334->1343 1335->1336 1336->1334 1348 40c052 1342->1348 1349 40c054-40c081 call 40b72f call 408639 call 408bfb 1342->1349 1363 40c082-40c08e 1343->1363 1348->1349 1349->1363 1363->1285 1371->1317 1372->1317
                                                            C-Code - Quality: 84%
                                                            			E0040BD49(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t136;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t162;
				void* _t166;
				void* _t177;
				char* _t182;
				signed int _t192;
				signed int _t197;
				intOrPtr _t199;
				void* _t204;
				void* _t208;
				intOrPtr _t228;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t252;
				void* _t253;

				_t245 = __edx;
				_push(0x5c);
				E00416B21(E00421A44, __ebx, __edi, __esi);
				_t208 = __ecx;
				E00402B01(__ecx);
				_t247 = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((short*)( *((intOrPtr*)(__ecx + 0x30)))) = 0;
				E0040908D(0, __esi, _t253 - 0x20, __ecx + 4);
				 *((intOrPtr*)(_t253 - 4)) = 0;
				E0040320A(_t253 - 0x2c);
				 *((char*)(_t253 - 4)) = 1;
				if(E004099B4(_t253 - 0x20, 0x2e) >= 0) {
					_t204 = E00408826(_t253 - 0x20, _t253 - 0x44, _t135 + 1);
					 *((char*)(_t253 - 4)) = 2;
					E00408639(_t253 - 0x2c, _t253, _t204);
					_push( *((intOrPtr*)(_t253 - 0x44)));
					L00408BFB(_t208, 0, __esi, _t135 + 1);
				}
				 *(_t253 - 0x64) = _t247;
				 *(_t253 - 0x60) = _t247;
				 *(_t253 - 0x5c) = _t247;
				 *((intOrPtr*)(_t253 - 0x58)) = 4;
				 *((intOrPtr*)(_t253 - 0x68)) = 0x42350c;
				 *((char*)(_t253 - 4)) = 3;
				if( *(_t253 + 0xc) < _t247) {
					_t136 =  *((intOrPtr*)(_t253 + 8));
					_t249 = 0;
					__eflags =  *((intOrPtr*)(_t136 + 0x10)) - _t247;
					 *(_t253 + 0xc) = _t247;
					if( *((intOrPtr*)(_t136 + 0x10)) <= _t247) {
						L9:
						__eflags =  *((intOrPtr*)(_t253 + 0x10)) - _t247;
						if( *((intOrPtr*)(_t253 + 0x10)) != _t247) {
							goto L14;
						}
						__eflags =  *(_t253 + 0xc) - 1;
						if( *(_t253 + 0xc) == 1) {
							E00408A4D(_t253 - 0x68, 1);
							goto L14;
						}
						goto L11;
					} else {
						goto L5;
					}
					do {
						L5:
						_t197 = E0040B987( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t253 + 8)) + 0x14)) + _t249 * 4)), _t253 - 0x2c);
						_push(_t249);
						_t240 = _t253 - 0x68;
						__eflags = _t197;
						if(_t197 < 0) {
							E0040105E(_t240);
						} else {
							E0040B786(_t240,  *(_t253 + 0xc));
							 *(_t253 + 0xc) =  *(_t253 + 0xc) + 1;
						}
						_t199 =  *((intOrPtr*)(_t253 + 8));
						_t249 = _t249 + 1;
						__eflags = _t249 -  *((intOrPtr*)(_t199 + 0x10));
					} while (_t249 <  *((intOrPtr*)(_t199 + 0x10)));
					goto L9;
				} else {
					E0040105E(_t253 - 0x68,  *(_t253 + 0xc));
					L14:
					 *(_t253 + 0xc) = _t247;
					if( *(_t253 - 0x60) <= _t247) {
						L28:
						_t251 = 1;
						L12:
						 *((char*)(_t253 - 4)) = 1;
						E00408BC5(_t253 - 0x68);
						_push( *((intOrPtr*)(_t253 - 0x2c)));
						L00408BFB(_t208, _t247, _t251, _t265);
						_push( *((intOrPtr*)(_t253 - 0x20)));
						L00408BFB(_t208, _t247, _t251, _t265);
						return E00416BF9(_t251);
					} else {
						goto L15;
					}
					do {
						L15:
						_t142 =  *((intOrPtr*)(_t253 + 0x10));
						if(_t142 == _t247) {
							L17:
							 *(_t253 - 0x14) = _t247;
							 *((char*)(_t253 - 4)) = 4;
							 *(_t208 + 0x1c) =  *( *(_t253 - 0x5c) +  *(_t253 + 0xc) * 4);
							_t145 = E0040B9BB( *((intOrPtr*)(_t253 + 8)),  *( *(_t253 - 0x5c) +  *(_t253 + 0xc) * 4), _t253 - 0x14);
							_t251 = _t145;
							if(_t145 != _t247) {
								_t146 =  *(_t253 - 0x14);
								 *((char*)(_t253 - 4)) = 3;
								__eflags = _t146 - _t247;
								if(_t146 != _t247) {
									 *((intOrPtr*)( *_t146 + 8))(_t146);
								}
								goto L12;
							}
							_t252 =  *(_t253 - 0x14);
							if(_t252 != _t247) {
								__eflags =  *((intOrPtr*)(_t253 + 0x10)) - _t247;
								if( *((intOrPtr*)(_t253 + 0x10)) == _t247) {
									 *(_t253 - 0x10) = _t247;
									 *((char*)(_t253 - 4)) = 5;
									 *((intOrPtr*)( *_t252))(_t252, 0x424134, _t253 - 0x10);
									_t150 =  *(_t253 - 0x10);
									__eflags = _t150 - _t247;
									if(_t150 == _t247) {
										 *((char*)(_t253 - 4)) = 3;
										 *((intOrPtr*)( *_t252 + 8))(_t252);
										L11:
										_t251 = 0x80004001;
										goto L12;
									}
									_t247 =  *((intOrPtr*)( *_t150 + 0xc))(_t150,  *((intOrPtr*)(_t253 + 0x14)));
									_t154 =  *(_t253 - 0x10);
									 *((char*)(_t253 - 4)) = 4;
									__eflags = _t154;
									if(_t154 != 0) {
										 *((intOrPtr*)( *_t154 + 8))(_t154);
									}
									L25:
									__eflags = _t247 - 1;
									if(_t247 != 1) {
										__eflags = _t247;
										if(_t247 == 0) {
											 *((short*)(_t253 - 0x54)) = 0;
											 *((short*)(_t253 - 0x52)) = 0;
											 *((char*)(_t253 - 4)) = 6;
											 *((intOrPtr*)( *_t252 + 0x20))(_t252, 0x37, _t253 - 0x54);
											__eflags =  *((short*)(_t253 - 0x54));
											if( *((short*)(_t253 - 0x54)) != 0) {
												__eflags =  *((short*)(_t253 - 0x54)) - 8;
												_t182 =  *(_t253 - 0x4c);
												if( *((short*)(_t253 - 0x54)) != 8) {
													_t182 = L"Unknown error";
												}
												E004090CA(_t208 + 0x30, _t253, _t182);
											}
											 *((char*)(_t253 - 4)) = 4;
											E00409A4A(_t253 - 0x54);
											E00406200(_t208, _t252);
											_t247 =  *( *((intOrPtr*)( *((intOrPtr*)(_t253 + 8)) + 0x14)) +  *(_t208 + 0x1c) * 4);
											__eflags =  *(_t247 + 0x20);
											if( *(_t247 + 0x20) != 0) {
												_t162 = E0040B987(_t247, _t253 - 0x2c);
												__eflags = _t162;
												if(__eflags < 0) {
													_t162 = 0;
													__eflags = 0;
												}
												_t228 =  *((intOrPtr*)(_t247 + 0x24));
												_t119 =  *((intOrPtr*)(_t228 + _t162 * 4)) + 0xc; // 0xc
												_push( *((intOrPtr*)(_t228 + _t162 * 4)));
												_push(_t253 - 0x20);
												_push(_t253 - 0x50);
												_t166 = E0040B72F(_t245, _t252, __eflags);
												 *((char*)(_t253 - 4)) = 0xa;
												E00408639(_t208 + 0x10, _t253, _t166);
												_push( *((intOrPtr*)(_t253 - 0x50)));
												L00408BFB(_t208, _t247, _t252, __eflags);
											} else {
												_t247 = 0x423a68;
												E00401647(_t253 - 0x44, _t253, 0x423a68);
												 *((char*)(_t253 - 4)) = 7;
												E00401647(_t253 - 0x38, _t253, 0x423a68);
												_push(_t253 - 0x44);
												_push(_t253 - 0x38);
												_push(_t253 - 0x20);
												_push(_t253 - 0x50);
												 *((char*)(_t253 - 4)) = 8;
												_t177 = E0040B72F(_t245, _t252, __eflags);
												 *((char*)(_t253 - 4)) = 9;
												E00408639(_t208 + 0x10, _t253, _t177);
												_push( *((intOrPtr*)(_t253 - 0x50)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
												_push( *((intOrPtr*)(_t253 - 0x38)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
												_push( *((intOrPtr*)(_t253 - 0x44)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
											}
											 *((char*)(_t253 - 4)) = 3;
											 *((intOrPtr*)( *_t252 + 8))(_t252);
											_t251 = 0;
										} else {
											 *((char*)(_t253 - 4)) = 3;
											 *((intOrPtr*)( *_t252 + 8))(_t252);
											_t251 = _t247;
										}
										goto L12;
									}
									 *((char*)(_t253 - 4)) = 3;
									 *((intOrPtr*)( *_t252 + 8))(_t252);
									_t247 = 0;
									__eflags = 0;
									goto L27;
								}
								_t247 =  *((intOrPtr*)( *_t252 + 0xc))(_t252,  *((intOrPtr*)(_t253 + 0x10)), 0x4239b0,  *((intOrPtr*)(_t253 + 0x18)));
								goto L25;
							}
							 *((char*)(_t253 - 4)) = 3;
							goto L27;
						}
						_t192 =  *((intOrPtr*)( *_t142 + 0x10))(_t142, _t247, _t247, _t247, _t247);
						if(_t192 != _t247) {
							_t251 = _t192;
							goto L12;
						}
						goto L17;
						L27:
						 *(_t253 + 0xc) =  *(_t253 + 0xc) + 1;
						_t265 =  *(_t253 + 0xc) -  *(_t253 - 0x60);
					} while ( *(_t253 + 0xc) <  *(_t253 - 0x60));
					goto L28;
				}
			}
























                                                            0x0040bd49
                                                            0x0040bd49
                                                            0x0040bd50
                                                            0x0040bd55
                                                            0x0040bd57
                                                            0x0040bd5f
                                                            0x0040bd63
                                                            0x0040bd66
                                                            0x0040bd71
                                                            0x0040bd79
                                                            0x0040bd7c
                                                            0x0040bd86
                                                            0x0040bd91
                                                            0x0040bd9c
                                                            0x0040bda5
                                                            0x0040bda9
                                                            0x0040bdae
                                                            0x0040bdb1
                                                            0x0040bdb6
                                                            0x0040bdb7
                                                            0x0040bdba
                                                            0x0040bdbd
                                                            0x0040bdc0
                                                            0x0040bdc7
                                                            0x0040bdd1
                                                            0x0040bdd5
                                                            0x0040bde7
                                                            0x0040bdea
                                                            0x0040bdec
                                                            0x0040bdef
                                                            0x0040bdf2
                                                            0x0040be29
                                                            0x0040be29
                                                            0x0040be2c
                                                            0x00000000
                                                            0x00000000
                                                            0x0040be2e
                                                            0x0040be32
                                                            0x0040be66
                                                            0x00000000
                                                            0x0040be66
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040bdf4
                                                            0x0040bdf4
                                                            0x0040be01
                                                            0x0040be06
                                                            0x0040be07
                                                            0x0040be0a
                                                            0x0040be0c
                                                            0x0040be1b
                                                            0x0040be0e
                                                            0x0040be11
                                                            0x0040be16
                                                            0x0040be16
                                                            0x0040be20
                                                            0x0040be23
                                                            0x0040be24
                                                            0x0040be24
                                                            0x00000000
                                                            0x0040bdd7
                                                            0x0040bddd
                                                            0x0040be6b
                                                            0x0040be6e
                                                            0x0040be71
                                                            0x0040bf39
                                                            0x0040bf3b
                                                            0x0040be39
                                                            0x0040be3c
                                                            0x0040be40
                                                            0x0040be45
                                                            0x0040be48
                                                            0x0040be4d
                                                            0x0040be50
                                                            0x0040be5e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040be77
                                                            0x0040be77
                                                            0x0040be77
                                                            0x0040be7c
                                                            0x0040be90
                                                            0x0040be90
                                                            0x0040bea4
                                                            0x0040bea8
                                                            0x0040beab
                                                            0x0040beb0
                                                            0x0040beb4
                                                            0x0040bf48
                                                            0x0040bf4b
                                                            0x0040bf4f
                                                            0x0040bf51
                                                            0x0040bf5a
                                                            0x0040bf5a
                                                            0x00000000
                                                            0x0040bf51
                                                            0x0040beba
                                                            0x0040bebf
                                                            0x0040bec7
                                                            0x0040beca
                                                            0x0040bee1
                                                            0x0040bef0
                                                            0x0040bef4
                                                            0x0040bef6
                                                            0x0040bef9
                                                            0x0040befb
                                                            0x0040bf65
                                                            0x0040bf69
                                                            0x0040be34
                                                            0x0040be34
                                                            0x00000000
                                                            0x0040be34
                                                            0x0040bf06
                                                            0x0040bf08
                                                            0x0040bf0b
                                                            0x0040bf0f
                                                            0x0040bf11
                                                            0x0040bf16
                                                            0x0040bf16
                                                            0x0040bf19
                                                            0x0040bf19
                                                            0x0040bf1c
                                                            0x0040bf71
                                                            0x0040bf73
                                                            0x0040bf88
                                                            0x0040bf8c
                                                            0x0040bf99
                                                            0x0040bf9d
                                                            0x0040bfa0
                                                            0x0040bfa5
                                                            0x0040bfa7
                                                            0x0040bfac
                                                            0x0040bfaf
                                                            0x0040bfb1
                                                            0x0040bfb1
                                                            0x0040bfba
                                                            0x0040bfba
                                                            0x0040bfc2
                                                            0x0040bfc6
                                                            0x0040bfce
                                                            0x0040bfdc
                                                            0x0040bfdf
                                                            0x0040bfe3
                                                            0x0040c049
                                                            0x0040c04e
                                                            0x0040c050
                                                            0x0040c052
                                                            0x0040c052
                                                            0x0040c052
                                                            0x0040c054
                                                            0x0040c05a
                                                            0x0040c05e
                                                            0x0040c062
                                                            0x0040c066
                                                            0x0040c067
                                                            0x0040c070
                                                            0x0040c074
                                                            0x0040c079
                                                            0x0040c07c
                                                            0x0040bfe5
                                                            0x0040bfe5
                                                            0x0040bfee
                                                            0x0040bff7
                                                            0x0040bffb
                                                            0x0040c003
                                                            0x0040c007
                                                            0x0040c00b
                                                            0x0040c00f
                                                            0x0040c010
                                                            0x0040c014
                                                            0x0040c01d
                                                            0x0040c021
                                                            0x0040c026
                                                            0x0040c029
                                                            0x0040c02e
                                                            0x0040c031
                                                            0x0040c036
                                                            0x0040c039
                                                            0x0040c03e
                                                            0x0040c085
                                                            0x0040c089
                                                            0x0040c08c
                                                            0x0040bf75
                                                            0x0040bf78
                                                            0x0040bf7c
                                                            0x0040bf7f
                                                            0x0040bf7f
                                                            0x00000000
                                                            0x0040bf73
                                                            0x0040bf21
                                                            0x0040bf25
                                                            0x0040bf28
                                                            0x0040bf28
                                                            0x00000000
                                                            0x0040bf28
                                                            0x0040bedd
                                                            0x00000000
                                                            0x0040bedd
                                                            0x0040bec1
                                                            0x00000000
                                                            0x0040bec1
                                                            0x0040be85
                                                            0x0040be8a
                                                            0x0040bf41
                                                            0x00000000
                                                            0x0040bf41
                                                            0x00000000
                                                            0x0040bf2a
                                                            0x0040bf2a
                                                            0x0040bf30
                                                            0x0040bf30
                                                            0x00000000
                                                            0x0040be77

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: Unknown error$h:B
                                                            • API String ID: 431132790-2896083918
                                                            • Opcode ID: abccca4332b3002c4f91c4449bdd3b9f37efbcd25ee3691752ef5f84edf4cfa5
                                                            • Instruction ID: 229dc10dfcce490ce841081ad363faeb39fea5f37d816de3d49a9016c6dfb729
                                                            • Opcode Fuzzy Hash: abccca4332b3002c4f91c4449bdd3b9f37efbcd25ee3691752ef5f84edf4cfa5
                                                            • Instruction Fuzzy Hash: 30B16070900248DFCB01DF95C9849DEBBB8EF59304F14446FF845BB292DB789A45CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404515, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E00404515(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				intOrPtr _t56;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t73;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t89;
				void* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t96;
				intOrPtr _t99;
				void* _t102;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;

				_t109 = __eflags;
				_push(0x24);
				E00416B21(E004210A6, __ebx, __edi, __esi);
				_t102 = __ecx;
				_t98 = __ecx + 0x28;
				_t52 = E0040B06F(_t109,  *((intOrPtr*)(_t106 + 8)), __ecx + 0x28, 0x20); // executed
				if(_t52 == 0) {
					if(E00403DB0(_t98) == 0) {
						 *((intOrPtr*)(_t106 - 0x30)) = 0x423364;
						 *((intOrPtr*)(_t106 - 0x2c)) = 0;
						 *((intOrPtr*)(_t106 - 0x28)) = 0;
						_t6 = _t106 - 0x30; // 0x423364
						 *((intOrPtr*)(_t106 - 4)) = 0;
						E0040140A(_t6, _t106, 0x10000);
						_t56 = 0x20;
						_t99 =  *((intOrPtr*)(_t106 - 0x28));
						 *((intOrPtr*)(_t106 - 0x10)) = _t56;
						E00416FC0(0, _t99, _t102, _t99, _t98, _t56);
						_t83 =  *((intOrPtr*)(_t102 + 0x20));
						 *((intOrPtr*)(_t106 - 0x20)) =  *((intOrPtr*)(_t102 + 0x24));
						while(1) {
							L4:
							_t93 =  *((intOrPtr*)(_t106 + 0xc));
							_t107 = _t107 + 0xc;
							__eflags = _t93;
							if(_t93 == 0) {
								goto L8;
							}
							_t91 = _t83 -  *((intOrPtr*)(_t102 + 0x20));
							asm("sbb eax, [esi+0x24]");
							__eflags =  *((intOrPtr*)(_t106 - 0x20)) -  *((intOrPtr*)(_t93 + 4));
							if(__eflags > 0) {
								L22:
								_push(_t99);
								L00408BFB(_t83, _t99, _t102, __eflags);
								_t52 = 1;
							} else {
								if(__eflags < 0) {
									goto L8;
								} else {
									__eflags = _t91 -  *_t93;
									if(__eflags > 0) {
										goto L22;
									} else {
										while(1) {
											L8:
											_t61 =  *((intOrPtr*)(_t106 - 0x10));
											_t63 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t106 + 8)))) + 0xc))( *((intOrPtr*)(_t106 + 8)), _t61 + _t99, 0x10000 - _t61, _t106 - 0x1c);
											__eflags = _t63;
											if(__eflags != 0) {
												break;
											}
											_t65 =  *((intOrPtr*)(_t106 - 0x1c));
											 *((intOrPtr*)(_t106 - 0x10)) =  *((intOrPtr*)(_t106 - 0x10)) + _t65;
											__eflags = _t65;
											if(__eflags == 0) {
												_t103 = 1;
												L24:
												_push(_t99);
												goto L27;
											} else {
												__eflags =  *((intOrPtr*)(_t106 - 0x10)) - 0x20;
												if( *((intOrPtr*)(_t106 - 0x10)) <= 0x20) {
													continue;
												} else {
													_t67 =  *((intOrPtr*)(_t106 - 0x10)) + 0xffffffe0;
													_t89 = 0;
													 *((intOrPtr*)(_t106 - 0x18)) = _t67;
													 *((intOrPtr*)(_t106 - 0x14)) = 0;
													__eflags = _t67;
													if(_t67 <= 0) {
														L21:
														_t83 = _t83 + _t67;
														asm("adc dword [ebp-0x20], 0x0");
														 *((intOrPtr*)(_t106 - 0x10)) =  *((intOrPtr*)(_t106 - 0x10)) - _t67;
														E00416C30(_t83, _t99, _t102, _t99, _t67 + _t99,  *((intOrPtr*)(_t106 - 0x10)));
														goto L4;
													} else {
														while(1) {
															__eflags =  *((char*)(_t99 + _t89)) - 0x37;
															if( *((char*)(_t99 + _t89)) == 0x37) {
															}
															L17:
															__eflags = _t89 - _t67;
															L18:
															if(__eflags == 0) {
																goto L21;
															} else {
																_t73 = E00403DB0(_t99 + _t89);
																__eflags = _t73;
																if(_t73 != 0) {
																	_t99 =  *((intOrPtr*)(_t106 - 0x14));
																	E00416FC0(_t83, _t99, _t102, _t102 + 0x28,  *((intOrPtr*)(_t106 - 0x28)) + _t99, 0x20);
																	_t78 =  *((intOrPtr*)(_t106 - 0x20));
																	_t92 =  *((intOrPtr*)(_t106 + 8));
																	_t96 = 0;
																	_t84 = _t83 + _t99;
																	asm("adc eax, edx");
																	 *((intOrPtr*)(_t102 + 0x20)) = _t84;
																	_t83 = _t84 + 0x20;
																	__eflags = _t83;
																	 *((intOrPtr*)(_t102 + 0x24)) = _t78;
																	asm("adc eax, edx");
																	_t79 =  *((intOrPtr*)( *_t92 + 0x10))(_t92, _t83, _t78, _t96, _t96);
																	_push( *((intOrPtr*)(_t106 - 0x28)));
																	_t103 = _t79;
																	L27:
																	L00408BFB(_t83, _t99, _t103, __eflags);
																	_t52 = _t103;
																} else {
																	 *((intOrPtr*)(_t106 - 0x14)) =  *((intOrPtr*)(_t106 - 0x14)) + 1;
																	__eflags =  *((intOrPtr*)(_t106 - 0x14)) -  *((intOrPtr*)(_t106 - 0x18));
																	_t99 =  *((intOrPtr*)(_t106 - 0x28));
																	_t67 =  *((intOrPtr*)(_t106 - 0x18));
																	if( *((intOrPtr*)(_t106 - 0x14)) <  *((intOrPtr*)(_t106 - 0x18))) {
																		_t89 =  *((intOrPtr*)(_t106 - 0x14));
																		while(1) {
																			__eflags =  *((char*)(_t99 + _t89)) - 0x37;
																			if( *((char*)(_t99 + _t89)) == 0x37) {
																			}
																			goto L14;
																		}
																		goto L17;
																	} else {
																		goto L21;
																	}
																}
															}
															goto L28;
															L14:
															__eflags = _t89 - _t67;
															if(__eflags < 0) {
																_t89 = _t89 + 1;
																__eflags = _t89;
																 *((intOrPtr*)(_t106 - 0x14)) = _t89;
																continue;
															}
															goto L18;
														}
													}
												}
											}
											goto L28;
										}
										_t103 = _t63;
										goto L24;
									}
								}
							}
							L28:
							goto L29;
						}
					} else {
						_t52 = 0;
					}
				}
				L29:
				return E00416BF9(_t52);
			}

























                                                            0x00404515
                                                            0x00404515
                                                            0x0040451c
                                                            0x00404521
                                                            0x00404525
                                                            0x0040452c
                                                            0x00404535
                                                            0x00404542
                                                            0x0040454b
                                                            0x00404552
                                                            0x00404555
                                                            0x0040455d
                                                            0x00404560
                                                            0x00404563
                                                            0x0040456a
                                                            0x0040456d
                                                            0x00404571
                                                            0x00404574
                                                            0x0040457c
                                                            0x0040457f
                                                            0x00404582
                                                            0x00404582
                                                            0x00404582
                                                            0x00404585
                                                            0x00404588
                                                            0x0040458a
                                                            0x00000000
                                                            0x00000000
                                                            0x00404591
                                                            0x00404594
                                                            0x00404597
                                                            0x0040459a
                                                            0x0040463c
                                                            0x0040463c
                                                            0x0040463d
                                                            0x00404644
                                                            0x004045a0
                                                            0x004045a0
                                                            0x00000000
                                                            0x004045a2
                                                            0x004045a2
                                                            0x004045a4
                                                            0x00000000
                                                            0x004045aa
                                                            0x004045aa
                                                            0x004045aa
                                                            0x004045b3
                                                            0x004045c4
                                                            0x004045c7
                                                            0x004045c9
                                                            0x00000000
                                                            0x00000000
                                                            0x004045cb
                                                            0x004045ce
                                                            0x004045d1
                                                            0x004045d3
                                                            0x0040464e
                                                            0x00404649
                                                            0x00404649
                                                            0x00000000
                                                            0x004045d5
                                                            0x004045d5
                                                            0x004045d9
                                                            0x00000000
                                                            0x004045db
                                                            0x004045de
                                                            0x004045e1
                                                            0x004045e3
                                                            0x004045e6
                                                            0x004045e9
                                                            0x004045eb
                                                            0x00404622
                                                            0x00404622
                                                            0x00404624
                                                            0x00404628
                                                            0x00404632
                                                            0x00000000
                                                            0x004045ed
                                                            0x004045fc
                                                            0x004045fc
                                                            0x00404600
                                                            0x00404600
                                                            0x00404602
                                                            0x00404602
                                                            0x00404604
                                                            0x00404604
                                                            0x00000000
                                                            0x00404606
                                                            0x00404608
                                                            0x0040460d
                                                            0x0040460f
                                                            0x00404651
                                                            0x00404660
                                                            0x00404665
                                                            0x00404668
                                                            0x00404670
                                                            0x00404671
                                                            0x00404673
                                                            0x00404676
                                                            0x00404679
                                                            0x00404679
                                                            0x0040467c
                                                            0x00404682
                                                            0x00404687
                                                            0x0040468a
                                                            0x0040468d
                                                            0x0040468f
                                                            0x0040468f
                                                            0x00404694
                                                            0x00404611
                                                            0x00404611
                                                            0x00404617
                                                            0x0040461a
                                                            0x0040461d
                                                            0x00404620
                                                            0x004045ef
                                                            0x004045fc
                                                            0x004045fc
                                                            0x00404600
                                                            0x00404600
                                                            0x00000000
                                                            0x00404600
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00404620
                                                            0x0040460f
                                                            0x00000000
                                                            0x004045f4
                                                            0x004045f4
                                                            0x004045f6
                                                            0x004045f8
                                                            0x004045f8
                                                            0x004045f9
                                                            0x00000000
                                                            0x004045f9
                                                            0x00000000
                                                            0x004045f6
                                                            0x004045fc
                                                            0x004045eb
                                                            0x004045d9
                                                            0x00000000
                                                            0x004045d3
                                                            0x00404647
                                                            0x00000000
                                                            0x00404647
                                                            0x004045a4
                                                            0x004045a0
                                                            0x00404696
                                                            0x00000000
                                                            0x00404696
                                                            0x00404544
                                                            0x00404544
                                                            0x00404544
                                                            0x00404542
                                                            0x00404697
                                                            0x0040469c

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: $d3B
                                                            • API String ID: 431132790-198493696
                                                            • Opcode ID: 36909c94d1b2a368238d16634e6de224bbbadee6273f221c0c5262812a54e26a
                                                            • Instruction ID: 3a515e4a4a240cacc8c10b0b89ac85215a11ea039d74a327c6dee710e8acc370
                                                            • Opcode Fuzzy Hash: 36909c94d1b2a368238d16634e6de224bbbadee6273f221c0c5262812a54e26a
                                                            • Instruction Fuzzy Hash: 3D5170B1A00205ABCB10DFA5CC80AAFB7B5BF85314F14492EEA01B7681D77DE941CB68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412324, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E00412324(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct _CRITICAL_SECTION* _t25;
				intOrPtr* _t29;
				void* _t32;
				void* _t34;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t51;
				void* _t52;

				_push(4);
				E00416B21(E00421F0F, __ebx, __edi, __esi);
				_t51 = __ecx;
				_t25 = __ecx + 0x10;
				 *(_t52 - 0x10) = _t25;
				EnterCriticalSection(_t25);
				_t26 =  *((intOrPtr*)(_t52 + 8));
				_t38 =  *((intOrPtr*)(_t52 + 0xc));
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				 *((intOrPtr*)(_t51 + 0x38)) =  *((intOrPtr*)(_t52 + 0x10));
				 *((intOrPtr*)(_t51 + 0x30)) =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t51 + 0x34)) =  *((intOrPtr*)(_t52 + 0xc));
				 *((intOrPtr*)(_t51 + 0x3c)) =  *((intOrPtr*)(_t52 + 0x14));
				if( *0x430640 != 0) {
					_t48 = _t51 + 8;
					E00411C88(_t48, _t26, _t38);
					_t29 =  *0x430640; // 0x612618
					 *((intOrPtr*)( *_t29 + 0x28))(_t29,  *_t51, 2);
					_t49 =  *0x430640; // 0x612618
					_t45 =  *((intOrPtr*)(_t51 + 0x34));
					 *((intOrPtr*)(_t52 + 0xc)) =  *_t48;
					_t32 = E00417780( *((intOrPtr*)(_t51 + 0x30)),  *_t48, _t45);
					asm("cdq");
					_t46 =  *((intOrPtr*)(_t51 + 0x3c));
					_t34 = E00417780( *((intOrPtr*)(_t51 + 0x38)),  *((intOrPtr*)(_t52 + 0xc)), _t46);
					asm("cdq");
					_t26 =  *((intOrPtr*)( *_t49 + 0x24))(_t49,  *_t51, _t34, _t46, _t32, _t45);
				}
				LeaveCriticalSection( *(_t52 - 0x10));
				return E00416BF9(_t26);
			}













                                                            0x00412324
                                                            0x0041232b
                                                            0x00412330
                                                            0x00412332
                                                            0x00412336
                                                            0x00412339
                                                            0x00412342
                                                            0x00412345
                                                            0x00412348
                                                            0x0041234c
                                                            0x00412352
                                                            0x00412355
                                                            0x00412358
                                                            0x00412362
                                                            0x00412365
                                                            0x0041236b
                                                            0x00412370
                                                            0x0041237c
                                                            0x00412381
                                                            0x0041238a
                                                            0x0041238f
                                                            0x00412392
                                                            0x0041239a
                                                            0x0041239c
                                                            0x004123a3
                                                            0x004123a8
                                                            0x004123ae
                                                            0x004123ae
                                                            0x004123b4
                                                            0x004123bf

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0041232B
                                                            • EnterCriticalSection.KERNEL32(?,00000004), ref: 00412339
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 004123B4
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterH_prolog3Leave
                                                            • String ID:
                                                            • API String ID: 4250467438-0
                                                            • Opcode ID: f1ca1d38278928531743cf0973599496185f1997b087bd932536968317e365bd
                                                            • Instruction ID: 7b34ac69ecfa62052499947f8b89ca965626569db3180aad90851b79160f7002
                                                            • Opcode Fuzzy Hash: f1ca1d38278928531743cf0973599496185f1997b087bd932536968317e365bd
                                                            • Instruction Fuzzy Hash: A71123B5200600AFC760DF65C985AAAB7F6BF88300B50992EF95A87B60C738F951CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004123C2, Relevance: 4.6, APIs: 3, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E004123C2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct _CRITICAL_SECTION* _t23;
				intOrPtr* _t28;
				void* _t31;
				void* _t33;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				void* _t48;

				_push(4);
				E00416B21(E00421F0F, __ebx, __edi, __esi);
				_t47 = __ecx;
				_t23 = __ecx + 0x10;
				 *(_t48 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				 *((intOrPtr*)(_t47 + 0x38)) =  *((intOrPtr*)(_t48 + 8));
				_t25 =  *((intOrPtr*)(_t48 + 0xc));
				 *((intOrPtr*)(_t47 + 0x3c)) =  *((intOrPtr*)(_t48 + 0xc));
				if( *0x430640 != 0) {
					_t44 = _t47 + 8;
					E00411C88(_t44,  *((intOrPtr*)(_t47 + 0x30)),  *((intOrPtr*)(_t47 + 0x34)));
					_t28 =  *0x430640; // 0x612618
					 *((intOrPtr*)( *_t28 + 0x28))(_t28,  *_t47, 2);
					_t45 =  *0x430640; // 0x612618
					_t41 =  *((intOrPtr*)(_t47 + 0x34));
					 *((intOrPtr*)(_t48 + 0xc)) =  *_t44;
					_t31 = E00417780( *((intOrPtr*)(_t47 + 0x30)),  *_t44, _t41);
					asm("cdq");
					_t42 =  *((intOrPtr*)(_t47 + 0x3c));
					_t33 = E00417780( *((intOrPtr*)(_t47 + 0x38)),  *((intOrPtr*)(_t48 + 0xc)), _t42);
					asm("cdq");
					_t25 =  *((intOrPtr*)( *_t45 + 0x24))(_t45,  *_t47, _t33, _t42, _t31, _t41);
				}
				LeaveCriticalSection( *(_t48 - 0x10));
				return E00416BF9(_t25);
			}













                                                            0x004123c2
                                                            0x004123c9
                                                            0x004123ce
                                                            0x004123d0
                                                            0x004123d4
                                                            0x004123d7
                                                            0x004123e0
                                                            0x004123e4
                                                            0x004123e7
                                                            0x004123ea
                                                            0x004123f4
                                                            0x004123f9
                                                            0x00412401
                                                            0x00412406
                                                            0x00412412
                                                            0x00412417
                                                            0x00412420
                                                            0x00412425
                                                            0x00412428
                                                            0x00412430
                                                            0x00412432
                                                            0x00412439
                                                            0x0041243e
                                                            0x00412444
                                                            0x00412444
                                                            0x0041244a
                                                            0x00412455

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 004123C9
                                                            • EnterCriticalSection.KERNEL32(?,00000004), ref: 004123D7
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0041244A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterH_prolog3Leave
                                                            • String ID:
                                                            • API String ID: 4250467438-0
                                                            • Opcode ID: e44546212c9cd121f28e1859ac9352c8223e510be0f53fe4628133fed2ae9915
                                                            • Instruction ID: b8ab0e8a091e3454a54943d1fa2376730f801439e704a0f0635c4d72261d10eb
                                                            • Opcode Fuzzy Hash: e44546212c9cd121f28e1859ac9352c8223e510be0f53fe4628133fed2ae9915
                                                            • Instruction Fuzzy Hash: 4C112575200600EFCB61EF64C985AAAB7B6FF88300F50992EF95687A60C738F951CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409899, Relevance: 4.5, APIs: 3, Instructions: 46fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00409899(void* __ebx, void** __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t22;
				void* _t26;
				void** _t35;
				void* _t37;
				void* _t38;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t35 = __ecx;
				if(E00409469(__ecx) != 0) {
					_t37 = CreateFileW;
					_t22 = CreateFileW( *(_t38 + 8),  *(_t38 + 0xc),  *(_t38 + 0x10), 0,  *(_t38 + 0x14),  *(_t38 + 0x18), 0); // executed
					 *_t35 = _t22;
					_t41 = _t22 - 0xffffffff;
					if(_t22 == 0xffffffff) {
						E0040320A(_t38 - 0x18);
						 *((intOrPtr*)(_t38 - 4)) = 0;
						_t26 = E00409876(_t41,  *(_t38 + 8), _t38 - 0x18);
						_t42 = _t26;
						if(_t26 != 0) {
							 *_t35 = CreateFileW( *(_t38 - 0x18),  *(_t38 + 0xc),  *(_t38 + 0x10), 0,  *(_t38 + 0x14),  *(_t38 + 0x18), 0);
						}
						_push( *(_t38 - 0x18));
						L00408BFB(0, _t35, _t37, _t42);
					}
					_t20 = 0 |  *_t35 != 0xffffffff;
				}
				return E00416BF9(_t20);
			}








                                                            0x00409899
                                                            0x004098a0
                                                            0x004098a5
                                                            0x004098ae
                                                            0x004098b0
                                                            0x004098c9
                                                            0x004098cb
                                                            0x004098cd
                                                            0x004098d0
                                                            0x004098d5
                                                            0x004098e1
                                                            0x004098e4
                                                            0x004098e9
                                                            0x004098eb
                                                            0x00409900
                                                            0x00409900
                                                            0x00409902
                                                            0x00409905
                                                            0x0040990a
                                                            0x00409910
                                                            0x00409910
                                                            0x00409918

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 004098A0
                                                              • Part of subcall function 00409469: FindCloseChangeNotification.KERNELBASE ref: 00409474
                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,0000000C), ref: 004098C9
                                                            • CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000,?,?), ref: 004098FE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateFile$ChangeCloseFindH_prolog3Notification
                                                            • String ID:
                                                            • API String ID: 497171381-0
                                                            • Opcode ID: 2e27a2388b066e432df6d7a938a5b8c5348d8dcfff54f88ac972f1d3587ffd35
                                                            • Instruction ID: 592200983aca7f03df924794e6f5b352c9d03a6f4c54ac32436f896c8fb0c43e
                                                            • Opcode Fuzzy Hash: 2e27a2388b066e432df6d7a938a5b8c5348d8dcfff54f88ac972f1d3587ffd35
                                                            • Instruction Fuzzy Hash: 8701007240010EAFDF01AFA1CC428EE7F76EF18364F50452ABA60661E2C735DD62EB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410BBB, Relevance: 4.5, APIs: 3, Instructions: 38fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E00410BBB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t14;
				signed int _t15;
				int _t17;
				int _t20;
				int _t22;
				signed int _t23;
				int _t31;
				void* _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t14 = E00410A7A(__ebx, __edi, __esi, _t33,  *(_t32 + 8), 0); // executed
				if(_t14 == 0) {
					L6:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t17 = DeleteFileW( *(_t32 + 8)); // executed
					if(_t17 == 0) {
						E0040320A(_t32 - 0x18);
						 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
						_t20 = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
						_push( *((intOrPtr*)(_t32 - 0x18)));
						__eflags = _t20;
						if(__eflags == 0) {
							L00408BFB(__ebx, __edi, DeleteFileW, __eflags);
							goto L6;
						} else {
							_t22 = DeleteFileW();
							_push( *((intOrPtr*)(_t32 - 0x18)));
							_t31 = _t22;
							_t23 = L00408BFB(__ebx, __edi, _t31, __eflags);
							__eflags = _t31;
							_t15 = _t23 & 0xffffff00 | _t31 != 0x00000000;
						}
					} else {
						_t15 = 1;
					}
				}
				return E00416BF9(_t15);
			}












                                                            0x00410bbb
                                                            0x00410bbb
                                                            0x00410bc2
                                                            0x00410bcc
                                                            0x00410bd3
                                                            0x00410c21
                                                            0x00410c21
                                                            0x00410c21
                                                            0x00410bd5
                                                            0x00410bde
                                                            0x00410be2
                                                            0x00410beb
                                                            0x00410bf0
                                                            0x00410bfb
                                                            0x00410c00
                                                            0x00410c03
                                                            0x00410c05
                                                            0x00410c1b
                                                            0x00000000
                                                            0x00410c07
                                                            0x00410c07
                                                            0x00410c09
                                                            0x00410c0c
                                                            0x00410c0e
                                                            0x00410c13
                                                            0x00410c16
                                                            0x00410c16
                                                            0x00410be4
                                                            0x00410be4
                                                            0x00410be4
                                                            0x00410be2
                                                            0x00410c28

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410BC2
                                                              • Part of subcall function 00410A7A: __EH_prolog3.LIBCMT ref: 00410A81
                                                              • Part of subcall function 00410A7A: SetFileAttributesW.KERNELBASE(?,?,0000000C), ref: 00410A92
                                                            • DeleteFileW.KERNELBASE(?,0000000C), ref: 00410BDE
                                                            • DeleteFileW.KERNEL32(?,?,?), ref: 00410C07
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: File$DeleteH_prolog3$Attributes
                                                            • String ID:
                                                            • API String ID: 1699852380-0
                                                            • Opcode ID: aa60388c990ca20335ff6b8a2c2d0d9a5d7906f33e0c0772e15b234dafe4a561
                                                            • Instruction ID: 82b29cb7c56b73e0ed4b09c3219c5ce96762dd4778a0f313884fd1d1f183af2a
                                                            • Opcode Fuzzy Hash: aa60388c990ca20335ff6b8a2c2d0d9a5d7906f33e0c0772e15b234dafe4a561
                                                            • Instruction Fuzzy Hash: 0BF0A431900115AACF14AFA1C802BED7F219F10354F01802BB90076192DB79D9C2AADC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410A7A, Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 81%
                                                            			E00410A7A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t16;
				signed int _t21;
				int _t23;
				signed int _t24;
				int _t31;
				void* _t32;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t16 = SetFileAttributesW( *(_t32 + 8),  *(_t32 + 0xc)); // executed
				if(_t16 == 0) {
					E0040320A(_t32 - 0x18);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					__eflags = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
					if(__eflags == 0) {
						_push( *(_t32 - 0x18));
						L00408BFB(__ebx, __edi, SetFileAttributesW, __eflags);
						_t21 = 0;
						__eflags = 0;
					} else {
						_t23 = SetFileAttributesW( *(_t32 - 0x18),  *(_t32 + 0xc));
						_push( *(_t32 - 0x18));
						_t31 = _t23;
						_t24 = L00408BFB(__ebx, __edi, _t31, __eflags);
						__eflags = _t31;
						_t21 = _t24 & 0xffffff00 | _t31 != 0x00000000;
					}
				} else {
					_t21 = 1;
				}
				return E00416BF9(_t21);
			}









                                                            0x00410a7a
                                                            0x00410a81
                                                            0x00410a92
                                                            0x00410a96
                                                            0x00410a9f
                                                            0x00410aa4
                                                            0x00410ab4
                                                            0x00410ab6
                                                            0x00410ad1
                                                            0x00410ad4
                                                            0x00410ad9
                                                            0x00410ad9
                                                            0x00410ab8
                                                            0x00410abe
                                                            0x00410ac0
                                                            0x00410ac3
                                                            0x00410ac5
                                                            0x00410aca
                                                            0x00410acc
                                                            0x00410acc
                                                            0x00410a98
                                                            0x00410a98
                                                            0x00410a98
                                                            0x00410ae1

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410A81
                                                            • SetFileAttributesW.KERNELBASE(?,?,0000000C), ref: 00410A92
                                                            • SetFileAttributesW.KERNEL32(?,?,?,?), ref: 00410ABE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$H_prolog3
                                                            • String ID:
                                                            • API String ID: 1525373243-0
                                                            • Opcode ID: 8d85c776ab4068c8f05fe61b7f3e61eb28d90dad28fb2599ea8dc5aeb20f5ffb
                                                            • Instruction ID: b68339446e7912557b5547a3532edc32d3c599c184010c8767136443e2a04074
                                                            • Opcode Fuzzy Hash: 8d85c776ab4068c8f05fe61b7f3e61eb28d90dad28fb2599ea8dc5aeb20f5ffb
                                                            • Instruction Fuzzy Hash: ADF09C31800219EACF00AFA1CC02AED7F31DF14354F01402BB900761A2CB79DDD2EB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040AA23, Relevance: 4.5, APIs: 3, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E0040AA23(intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t14;
				void* _t19;
				struct _CRITICAL_SECTION* _t23;
				intOrPtr* _t25;
				intOrPtr* _t26;
				void* _t28;

				_push(4);
				E00416B21(E00421F0F, _t19, __edi, __esi);
				_t25 = __ecx;
				_t23 = __ecx + 4;
				 *(_t28 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				_t14 =  *_t25;
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				_push(0);
				_push(0);
				_push( *((intOrPtr*)(_t28 + 0xc)));
				_push( *((intOrPtr*)(_t28 + 8)));
				_push(_t14); // executed
				if( *((intOrPtr*)( *_t14 + 0x10))() == 0) {
					_t26 =  *_t25;
					_t15 =  *((intOrPtr*)( *_t26 + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0x10)),  *((intOrPtr*)(_t28 + 0x14)),  *((intOrPtr*)(_t28 + 0x18)));
				}
				LeaveCriticalSection(_t23);
				return E00416BF9(_t15);
			}









                                                            0x0040aa23
                                                            0x0040aa2a
                                                            0x0040aa2f
                                                            0x0040aa31
                                                            0x0040aa35
                                                            0x0040aa38
                                                            0x0040aa3e
                                                            0x0040aa42
                                                            0x0040aa46
                                                            0x0040aa48
                                                            0x0040aa4a
                                                            0x0040aa4d
                                                            0x0040aa50
                                                            0x0040aa56
                                                            0x0040aa6e
                                                            0x0040aa79
                                                            0x0040aa79
                                                            0x0040aa5b
                                                            0x0040aa68

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040AA2A
                                                            • EnterCriticalSection.KERNEL32(00000000,00000004,0040AAA2,?,?,?,?,00000000), ref: 0040AA38
                                                            • LeaveCriticalSection.KERNEL32(00000000,?,?,?,?), ref: 0040AA5B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterH_prolog3Leave
                                                            • String ID:
                                                            • API String ID: 4250467438-0
                                                            • Opcode ID: 4dddb49c8288610b6a72de20f540e7b07757c19d66fa8ff38042e61517f2b0a0
                                                            • Instruction ID: 376e6d0b6539734c182ceb4bf0422f82a57e589c454eeaae9fc2f109862d71f0
                                                            • Opcode Fuzzy Hash: 4dddb49c8288610b6a72de20f540e7b07757c19d66fa8ff38042e61517f2b0a0
                                                            • Instruction Fuzzy Hash: DDF06235600214EBCB219FA0CC04B9A7BB5BF08711F15445AFA11AB2A0C779E951DF69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410AE4, Relevance: 4.5, APIs: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00410AE4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t13;
				int _t16;
				signed int _t18;
				int _t20;
				signed int _t21;
				int _t28;
				void* _t29;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t13 = RemoveDirectoryW( *(_t29 + 8)); // executed
				if(_t13 == 0) {
					E0040320A(_t29 - 0x18);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t16 = E00409876(__eflags,  *(_t29 + 8), _t29 - 0x18);
					_push( *((intOrPtr*)(_t29 - 0x18)));
					__eflags = _t16;
					if(__eflags == 0) {
						L00408BFB(__ebx, __edi, RemoveDirectoryW, __eflags);
						_t18 = 0;
						__eflags = 0;
					} else {
						_t20 = RemoveDirectoryW();
						_push( *((intOrPtr*)(_t29 - 0x18)));
						_t28 = _t20;
						_t21 = L00408BFB(__ebx, __edi, _t28, __eflags);
						__eflags = _t28;
						_t18 = _t21 & 0xffffff00 | _t28 != 0x00000000;
					}
				} else {
					_t18 = 1;
				}
				return E00416BF9(_t18);
			}










                                                            0x00410ae4
                                                            0x00410aeb
                                                            0x00410af9
                                                            0x00410afd
                                                            0x00410b06
                                                            0x00410b0b
                                                            0x00410b16
                                                            0x00410b1b
                                                            0x00410b1e
                                                            0x00410b20
                                                            0x00410b35
                                                            0x00410b3a
                                                            0x00410b3a
                                                            0x00410b22
                                                            0x00410b22
                                                            0x00410b24
                                                            0x00410b27
                                                            0x00410b29
                                                            0x00410b2e
                                                            0x00410b30
                                                            0x00410b30
                                                            0x00410aff
                                                            0x00410aff
                                                            0x00410aff
                                                            0x00410b42

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410AEB
                                                            • RemoveDirectoryW.KERNELBASE(?,0000000C), ref: 00410AF9
                                                            • RemoveDirectoryW.KERNEL32(?,?,?), ref: 00410B22
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: DirectoryRemove$H_prolog3
                                                            • String ID:
                                                            • API String ID: 3343300676-0
                                                            • Opcode ID: 65cf368d349eb4c92cd16b1e3ade35d5f6be28c4dc45d3fa00a9d84382bf9e58
                                                            • Instruction ID: 710b2b3079904f10a49b21f330e3983a60d9af1bfd423f351766240e205e25f6
                                                            • Opcode Fuzzy Hash: 65cf368d349eb4c92cd16b1e3ade35d5f6be28c4dc45d3fa00a9d84382bf9e58
                                                            • Instruction Fuzzy Hash: 60F0303180411996CF10ABE1C902AEE7F259F00358F15406BA9406A292CB79E9C6E6AD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040177A, Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E0040177A(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				intOrPtr _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t31 = __edi;
				_t23 = __ebx;
				_push(4);
				E00416B21(E00421471, __ebx, __edi, __esi);
				_t33 = __ecx;
				 *((intOrPtr*)(_t34 - 0x10)) = __ecx;
				 *(_t34 - 4) = 4;
				E00408BC5(__ecx + 0xb4);
				 *(_t34 - 4) = 3;
				E00408BC5(__ecx + 0xa0);
				 *(_t34 - 4) = 2;
				E004015E5(__ebx, __ecx + 0x8c, __edi, __ecx, _t35);
				 *(_t34 - 4) = 1;
				E00401489(_t23, _t33 + 0x78, _t31, _t33, _t35); // executed
				 *(_t34 - 4) = 0;
				E0040B173(_t33);
				_t11 = _t34 - 4;
				 *(_t34 - 4) =  *(_t34 - 4) | 0xffffffff;
				_t21 = E0040157A(_t23, _t33 + 0x14, _t31, _t33,  *_t11); // executed
				return E00416BF9(_t21);
			}







                                                            0x0040177a
                                                            0x0040177a
                                                            0x0040177a
                                                            0x0040177a
                                                            0x00401781
                                                            0x00401786
                                                            0x00401788
                                                            0x00401791
                                                            0x00401798
                                                            0x004017a3
                                                            0x004017a7
                                                            0x004017b2
                                                            0x004017b6
                                                            0x004017be
                                                            0x004017c2
                                                            0x004017c9
                                                            0x004017cd
                                                            0x004017d2
                                                            0x004017d2
                                                            0x004017d9
                                                            0x004017e3

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00401781
                                                            • ~_Task_impl.LIBCPMT ref: 004017B6
                                                              • Part of subcall function 004015E5: __EH_prolog3.LIBCMT ref: 004015EC
                                                            • ~_Task_impl.LIBCPMT ref: 004017C2
                                                              • Part of subcall function 00401489: __EH_prolog3.LIBCMT ref: 00401490
                                                              • Part of subcall function 0040157A: __EH_prolog3.LIBCMT ref: 00401581
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$Task_impl
                                                            • String ID:
                                                            • API String ID: 2843614703-0
                                                            • Opcode ID: 3dfa0d9badd74e310505ad803d96c188240e82b3241b6ae798c843971600a03f
                                                            • Instruction ID: 013af03912305f4c448b6a7ee667699893353aed5ea99b6c000518ccc271aa3d
                                                            • Opcode Fuzzy Hash: 3dfa0d9badd74e310505ad803d96c188240e82b3241b6ae798c843971600a03f
                                                            • Instruction Fuzzy Hash: E1F0F070404354CAD714FBA1C1027DCBBB06F20308F4041DEA4A6232D2DF782708C62A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040193F, Relevance: 4.5, APIs: 3, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E0040193F(intOrPtr __ecx, void* __esi, void* __eflags) {
				void* _t15;
				void* _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;

				_t24 = __eflags;
				_push(4);
				E00416B21(E00420CC8, _t15, _t20, __esi);
				_t22 = __ecx;
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				 *(_t23 - 4) = 1;
				E00401616(_t15, __ecx + 0x74, _t20, __ecx, _t24); // executed
				 *(_t23 - 4) = 0;
				E00401549(_t15, _t22 + 0x5c, _t20, _t22, _t24); // executed
				_t6 = _t23 - 4;
				 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
				return E00416BF9(E004011EE(_t15, _t22 + 0xc, _t20, _t22,  *_t6));
			}








                                                            0x0040193f
                                                            0x0040193f
                                                            0x00401946
                                                            0x0040194b
                                                            0x0040194d
                                                            0x00401953
                                                            0x0040195a
                                                            0x00401962
                                                            0x00401966
                                                            0x0040196b
                                                            0x0040196b
                                                            0x0040197c

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00401946
                                                            • ~_Task_impl.LIBCPMT ref: 0040195A
                                                              • Part of subcall function 00401616: __EH_prolog3.LIBCMT ref: 0040161D
                                                            • ~_Task_impl.LIBCPMT ref: 00401966
                                                              • Part of subcall function 00401549: __EH_prolog3.LIBCMT ref: 00401550
                                                              • Part of subcall function 004011EE: __EH_prolog3.LIBCMT ref: 004011F5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$Task_impl
                                                            • String ID:
                                                            • API String ID: 2843614703-0
                                                            • Opcode ID: 5a36d9774e3f7b5f4d6334cd3bd70039b4e6d44ffea03344701cfbbcf185756c
                                                            • Instruction ID: 5cdb3cf3dca08719438845c65d893accad8844cd1feecf10675d4a7ad2801eba
                                                            • Opcode Fuzzy Hash: 5a36d9774e3f7b5f4d6334cd3bd70039b4e6d44ffea03344701cfbbcf185756c
                                                            • Instruction Fuzzy Hash: 1FE02670804610CBC708FBE5C80238DBBE0AF00318F40435EA512672E2CFB86708C608
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00413320, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E00413320(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t73;
				intOrPtr* _t82;
				intOrPtr _t83;
				void* _t85;
				void* _t89;
				intOrPtr* _t121;
				void* _t122;
				void* _t125;

				_t125 = __eflags;
				_t119 = __edi;
				_t117 = __edx;
				_push(0x58);
				E00416B21(E004220FF, __ebx, __edi, __esi);
				_t121 = __ecx;
				E0040320A(_t122 - 0x3c);
				_push( *((intOrPtr*)(__ecx + 4)));
				 *((intOrPtr*)(_t122 - 4)) = 0;
				_t62 = E00409371(0, _t122 - 0x64, __edx, __edi, __ecx, _t125); // executed
				_t126 = _t62;
				if(_t62 != 0) {
					_t63 =  *((intOrPtr*)(_t121 + 0x1c));
					__eflags = _t63;
					if(__eflags == 0) {
						_t64 = 0;
						__eflags = 0;
					} else {
						_t64 = _t63 + 4;
					}
					 *((intOrPtr*)(_t122 - 0x28)) = 0;
					 *((intOrPtr*)(_t122 - 0x24)) = 0;
					 *((intOrPtr*)(_t122 - 0x20)) = 0;
					 *((intOrPtr*)(_t122 - 0x1c)) = 4;
					 *((intOrPtr*)(_t122 - 0x2c)) = 0x42350c;
					_push(_t64);
					_push(_t121 + 4);
					_push(0);
					_push(0);
					_push(_t122 - 0x2c);
					_push( *_t121);
					_t119 = _t121 + 0x28;
					 *((char*)(_t122 - 4)) = 1;
					 *((intOrPtr*)(_t121 + 0x60)) = E0040C59C(0, _t119, _t117, _t119, _t121, __eflags);
					 *((char*)(_t122 - 4)) = 0;
					E00408BC5(_t122 - 0x2c);
					__eflags =  *((intOrPtr*)(_t121 + 0x60));
					if( *((intOrPtr*)(_t121 + 0x60)) == 0) {
						_t102 = _t122 - 0x18;
						E00404082(_t122 - 0x18, _t122, _t121 + 0x10);
						 *((char*)(_t122 - 4)) = 2;
						E004099DF(_t122 - 0x18);
						_push( *((intOrPtr*)(_t122 - 0x18)));
						_t73 = E00410F49(0, _t119, _t121, __eflags); // executed
						__eflags = _t73;
						if(__eflags != 0) {
							E00401647(_t122 - 0x24, _t122, L"Default");
							 *((char*)(_t122 - 4)) = 4;
							E00412551(0,  *((intOrPtr*)(_t121 + 0x1c)), _t119, _t121, __eflags);
							 *((char*)(_t122 - 4)) = 2;
							L00408BFB(0, _t119, _t121, __eflags);
							_t82 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0xc)) +  *(_t119 + 8) * 4 - 4))));
							_t83 =  *((intOrPtr*)( *_t82 + 0x1c))(_t82, 0, 0xffffffff, 0,  *((intOrPtr*)(_t121 + 0x20)),  *((intOrPtr*)(_t122 - 0x24)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0xc)) +  *(_t119 + 8) * 4 - 4)))), _t122 - 0x18, _t122 - 0x24, _t122 - 0x4c, 0);
							_push( *((intOrPtr*)(_t122 - 0x18)));
							 *((intOrPtr*)(_t121 + 0x60)) = _t83;
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x3c)));
							_t85 = L00408BFB(0, _t119, _t121, __eflags);
							goto L11;
						} else {
							_push(_t122 - 0x18);
							_push(9);
							_push(_t122 - 0x24);
							_t89 = E0040C997(0, _t102, _t119, _t121, __eflags);
							 *((char*)(_t122 - 4)) = 3;
							E00408639(_t121 + 0x64, _t122, _t89);
							_push( *((intOrPtr*)(_t122 - 0x24)));
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x18)));
							 *((intOrPtr*)(_t121 + 0x60)) = 0x80004005;
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x3c)));
							_t85 = L00408BFB(0, _t119, _t121, __eflags);
						}
					} else {
						E00408639(_t121 + 0x64, _t122, 0x430624);
						goto L2;
					}
				} else {
					E00408639(_t121 + 0x64, _t122, 0x430618);
					 *((intOrPtr*)(_t121 + 0x60)) = 0x80004005;
					L2:
					_push( *((intOrPtr*)(_t122 - 0x3c)));
					_t85 = L00408BFB(0, _t119, _t121, _t126);
					L11:
				}
				return E00416BF9(_t85);
			}














                                                            0x00413320
                                                            0x00413320
                                                            0x00413320
                                                            0x00413320
                                                            0x00413327
                                                            0x0041332c
                                                            0x00413331
                                                            0x00413336
                                                            0x0041333e
                                                            0x00413341
                                                            0x00413346
                                                            0x00413348
                                                            0x0041336b
                                                            0x0041336e
                                                            0x00413370
                                                            0x00413377
                                                            0x00413377
                                                            0x00413372
                                                            0x00413372
                                                            0x00413372
                                                            0x00413379
                                                            0x0041337c
                                                            0x0041337f
                                                            0x00413382
                                                            0x00413389
                                                            0x00413390
                                                            0x00413394
                                                            0x00413395
                                                            0x00413396
                                                            0x0041339a
                                                            0x0041339b
                                                            0x0041339d
                                                            0x004133a2
                                                            0x004133ae
                                                            0x004133b1
                                                            0x004133b4
                                                            0x004133b9
                                                            0x004133bc
                                                            0x004133d1
                                                            0x004133d4
                                                            0x004133dd
                                                            0x004133e1
                                                            0x004133e6
                                                            0x004133e9
                                                            0x004133ee
                                                            0x004133f0
                                                            0x0041343a
                                                            0x0041345c
                                                            0x00413460
                                                            0x00413468
                                                            0x0041346c
                                                            0x0041347f
                                                            0x00413489
                                                            0x0041348c
                                                            0x0041348f
                                                            0x00413492
                                                            0x00413497
                                                            0x0041349a
                                                            0x00000000
                                                            0x004133f2
                                                            0x004133f5
                                                            0x004133f6
                                                            0x004133fb
                                                            0x004133fc
                                                            0x00413405
                                                            0x00413409
                                                            0x0041340e
                                                            0x00413411
                                                            0x00413416
                                                            0x00413419
                                                            0x00413420
                                                            0x00413425
                                                            0x00413428
                                                            0x0041342d
                                                            0x004133be
                                                            0x004133c6
                                                            0x00000000
                                                            0x004133c6
                                                            0x0041334a
                                                            0x00413352
                                                            0x00413357
                                                            0x0041335e
                                                            0x0041335e
                                                            0x00413361
                                                            0x004134a0
                                                            0x004134a0
                                                            0x004134a6

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00413327
                                                              • Part of subcall function 00409371: __EH_prolog3.LIBCMT ref: 00409378
                                                              • Part of subcall function 00410F49: __EH_prolog3.LIBCMT ref: 00410F50
                                                              • Part of subcall function 0040C997: __EH_prolog3.LIBCMT ref: 0040C99E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: Default
                                                            • API String ID: 431132790-753088835
                                                            • Opcode ID: 9bb2fe5a139833588a7d3d06fd8f57c5a8a4d5c7409c239a80a1bd62f6c0b366
                                                            • Instruction ID: 637a408ca592e427b064d91d27cf8d613e21661ac3e18e47597f74a2cd651e88
                                                            • Opcode Fuzzy Hash: 9bb2fe5a139833588a7d3d06fd8f57c5a8a4d5c7409c239a80a1bd62f6c0b366
                                                            • Instruction Fuzzy Hash: F84162B1800208EFCB15DF95C9819DEBBB4BF08304F10456EF59673292DF79AA45DB18
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412970, Relevance: 3.3, APIs: 2, Instructions: 335COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E00412970() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t133;
				signed int _t134;
				signed int _t142;
				intOrPtr* _t144;
				intOrPtr _t146;
				intOrPtr* _t147;
				signed int _t148;
				intOrPtr* _t153;
				intOrPtr* _t156;
				signed int _t158;
				intOrPtr _t160;
				intOrPtr* _t179;
				intOrPtr _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				signed int _t196;
				intOrPtr* _t197;
				void* _t215;
				signed int _t216;
				signed int _t265;
				signed int _t267;
				intOrPtr* _t269;
				short* _t271;
				void* _t273;

				_t271 = _t273 - 0x68;
				_t269 =  *((intOrPtr*)(_t271 + 0x70));
				if(E00411CBC(_t269 + 0xc8) == 0) {
					E00402B01(_t269 + 0x50);
					 *(_t271 + 0x10) = 0;
					 *((short*)(_t271 + 0x12)) = 0;
					_t133 =  *((intOrPtr*)(_t269 + 0x10));
					_t134 =  *((intOrPtr*)( *_t133 + 0x18))(_t133,  *(_t271 + 0x74), 3, _t271 + 0x10, _t265, _t215);
					_t216 = 0;
					__eflags = _t134;
					if(_t134 == 0) {
						E0040320A(_t271 + 0x5c);
						__eflags =  *(_t271 + 0x10);
						if( *(_t271 + 0x10) != 0) {
							__eflags =  *(_t271 + 0x10) - 8;
							if(__eflags == 0) {
								E004090CA(_t271 + 0x5c, _t271,  *((intOrPtr*)(_t271 + 0x18)));
								goto L11;
							}
							goto L9;
						} else {
							E00408639(_t271 + 0x5c, _t271, _t269 + 0x54);
							L11:
							E00408639(_t269 + 0x20, _t271, _t271 + 0x5c);
							__eflags =  *((intOrPtr*)(_t271 + 0x7c)) - _t216;
							if(__eflags != 0) {
								 *( *(_t271 + 0x78)) = _t216;
								L42:
								_push( *((intOrPtr*)(_t271 + 0x5c)));
								L00408BFB(_t216, _t265, _t269, __eflags);
								goto L5;
							}
							 *(_t271 + 0x4c) = 0;
							 *((short*)(_t271 + 0x4e)) = 0;
							_t144 =  *((intOrPtr*)(_t269 + 0x10));
							_t267 =  *((intOrPtr*)( *_t144 + 0x18))(_t144,  *(_t271 + 0x74), 9, _t271 + 0x4c);
							__eflags = _t267 - _t216;
							if(_t267 == _t216) {
								__eflags =  *(_t271 + 0x4c) - _t216;
								if( *(_t271 + 0x4c) != _t216) {
									__eflags =  *(_t271 + 0x4c) - 0x13;
									if( *(_t271 + 0x4c) == 0x13) {
										_t146 =  *((intOrPtr*)(_t271 + 0x54));
										L19:
										 *((intOrPtr*)(_t269 + 0x48)) = _t146;
										_t147 =  *((intOrPtr*)(_t269 + 0x10));
										_t148 =  *((intOrPtr*)( *_t147 + 0x18))(_t147,  *(_t271 + 0x74), 6, _t271 + 0x4c);
										_t267 = _t148;
										__eflags = _t267 - _t216;
										if(_t267 != _t216) {
											goto L13;
										}
										__eflags =  *((intOrPtr*)(_t271 + 0x54)) - _t216;
										 *((char*)(_t269 + 0x44)) = _t148 & 0xffffff00 |  *((intOrPtr*)(_t271 + 0x54)) != _t216;
										 *_t271 = 0;
										 *((short*)(_t271 + 2)) = 0;
										_t153 =  *((intOrPtr*)(_t269 + 0x10));
										 *(_t271 + 0x73) = _t216;
										_t267 =  *((intOrPtr*)( *_t153 + 0x18))(_t153,  *(_t271 + 0x74), 0x15, _t271);
										__eflags = _t267 - _t216;
										if(_t267 == _t216) {
											__eflags =  *_t271 - 0xb;
											if( *_t271 == 0xb) {
												__eflags =  *((intOrPtr*)(_t271 + 8)) - _t216;
												_t51 = _t271 + 0x73;
												 *_t51 =  *((intOrPtr*)(_t271 + 8)) != _t216;
												__eflags =  *_t51;
											}
											E00409A4A(_t271);
											_t156 =  *((intOrPtr*)(_t269 + 0x10));
											_t264 = _t271 + 0x4c;
											_t267 =  *((intOrPtr*)( *_t156 + 0x18))(_t156,  *(_t271 + 0x74), 0xc, _t271 + 0x4c);
											__eflags = _t267 - _t216;
											if(_t267 != _t216) {
												goto L13;
											} else {
												_t158 =  *(_t271 + 0x4c) & 0x0000ffff;
												__eflags = _t158 - _t216;
												if(__eflags == 0) {
													_t265 = _t269 + 0x3c;
													 *_t265 =  *((intOrPtr*)(_t269 + 0x60));
													_t160 =  *((intOrPtr*)(_t269 + 0x64));
													L29:
													 *((intOrPtr*)(_t265 + 4)) = _t160;
													_push(_t271 + 0x2c);
													_push(_t271 + 0x5c);
													 *(_t271 + 0x30) = _t216;
													 *(_t271 + 0x34) = _t216;
													 *(_t271 + 0x38) = _t216;
													 *((intOrPtr*)(_t271 + 0x3c)) = 4;
													 *((intOrPtr*)(_t271 + 0x2c)) = 0x423798;
													E0040900B(_t216, _t264, _t265, _t269, __eflags);
													__eflags =  *(_t271 + 0x34) - _t216;
													if(__eflags != 0) {
														E00404082(_t271 + 0x20, _t271, _t271 + 0x5c);
														__eflags =  *((intOrPtr*)(_t269 + 0x44)) - _t216;
														if( *((intOrPtr*)(_t269 + 0x44)) == _t216) {
															E00408A40(_t271 + 0x2c);
														}
														__eflags =  *(_t271 + 0x34) - _t216;
														if(__eflags != 0) {
															__eflags =  *(_t271 + 0x73) - _t216;
															if(__eflags == 0) {
																_push(_t271 + 0x2c);
																E00412707(_t216, _t269, _t264, _t265, _t269, __eflags); // executed
															}
														}
														_push(_t271 + 0x20);
														_push(_t269 + 0x14);
														_push(_t271 + 0x40);
														E004096A4(_t216, _t265, _t269, __eflags);
														__eflags =  *((intOrPtr*)(_t269 + 0x44)) - _t216;
														if( *((intOrPtr*)(_t269 + 0x44)) == _t216) {
															E0040320A(_t271 - 0x10);
															_push( *((intOrPtr*)(_t271 + 0x40)));
															__eflags = E00409371(_t216, _t271 - 0x38, _t264, _t265, _t269, __eflags);
															if(__eflags == 0) {
																L51:
																__eflags =  *(_t271 + 0x73) - _t216;
																if(__eflags != 0) {
																	L62:
																	E00408639(_t269 + 0x2c, _t271, _t271 + 0x40);
																	_push( *((intOrPtr*)(_t271 - 0x10)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x40)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x20)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	goto L41;
																}
																_t179 = E00408BD0(_t216, _t265, __eflags, 0x18);
																__eflags = _t179 - _t216;
																if(_t179 == _t216) {
																	_t179 = 0;
																	__eflags = 0;
																} else {
																	 *(_t179 + 4) = _t216;
																	 *_t179 = 0x423eb0;
																	 *(_t179 + 8) =  *(_t179 + 8) | 0xffffffff;
																}
																 *((intOrPtr*)(_t269 + 0x4c)) = _t179;
																E0040222C(_t271 + 0x74, _t179);
																_t181 =  *((intOrPtr*)(_t269 + 0x4c));
																 *(_t181 + 0x10) = _t216;
																 *(_t181 + 0x14) = _t216;
																_t182 = E0040999D( *((intOrPtr*)(_t271 + 0x40)), 1);
																__eflags = _t182;
																if(_t182 != 0) {
																	L61:
																	_t265 =  *(_t271 + 0x74);
																	E00406200(_t269 + 0x50, _t265);
																	 *( *(_t271 + 0x78)) = _t265;
																	goto L62;
																} else {
																	__eflags =  *((intOrPtr*)(_t269 + 0x139)) - _t216;
																	if( *((intOrPtr*)(_t269 + 0x139)) == _t216) {
																		_t185 =  *0x430640; // 0x612618
																		__eflags = _t185 - _t216;
																		if(_t185 != _t216) {
																			 *((intOrPtr*)( *_t185 + 0x28))(_t185,  *((intOrPtr*)(_t269 + 0x134)), 4);
																		}
																		goto L61;
																	}
																	E00408639(_t269 + 0x114, _t271, 0x4305c4);
																	_t188 =  *(_t271 + 0x74);
																	__eflags = _t188 - _t216;
																	if(__eflags != 0) {
																		 *((intOrPtr*)( *_t188 + 8))(_t188);
																	}
																	L50:
																	_push( *((intOrPtr*)(_t271 - 0x10)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x40)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x20)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	goto L30;
																}
															}
															_t196 = E00410BBB(_t216, _t265, _t269, __eflags,  *((intOrPtr*)(_t271 + 0x40)));
															__eflags = _t196;
															if(_t196 != 0) {
																goto L51;
															}
															__eflags =  *((intOrPtr*)(_t269 + 0x139)) - _t216;
															if( *((intOrPtr*)(_t269 + 0x139)) == _t216) {
																_t197 =  *0x430640; // 0x612618
																__eflags = _t197 - _t216;
																if(__eflags != 0) {
																	 *((intOrPtr*)( *_t197 + 0x28))(_t197,  *((intOrPtr*)(_t269 + 0x134)), 4);
																}
																 *((intOrPtr*)( *((intOrPtr*)(_t269 + 0x70)) + 4))( *0x4305b8,  *0x4305ac, _t216);
															} else {
																E00408639(_t269 + 0x114, _t271, 0x4305b8);
															}
															goto L50;
														} else {
															E00408639(_t269, _t271, _t271 + 0x40);
															__eflags =  *(_t271 + 0x73) - _t216;
															if(__eflags == 0) {
																E004109DE(_t216, _t265, _t269, __eflags,  *_t269, _t216, _t216, _t265); // executed
															} else {
																E00410AE4(_t216, _t265, _t269, __eflags,  *_t269);
															}
															_push( *((intOrPtr*)(_t271 + 0x40)));
															L00408BFB(_t216, _t265, _t269, __eflags);
															_push( *((intOrPtr*)(_t271 + 0x20)));
															L00408BFB(_t216, _t265, _t269, __eflags);
															L41:
															E004085B9(_t216, _t271 + 0x2c, _t265, _t269, __eflags);
															E00409A4A(_t271 + 0x4c);
															goto L42;
														}
													}
													L30:
													E004085B9(_t216, _t271 + 0x2c, _t265, _t269, __eflags);
													goto L17;
												}
												__eflags = _t158 - 0x40;
												if(__eflags != 0) {
													goto L17;
												}
												_t265 = _t269 + 0x3c;
												 *_t265 =  *((intOrPtr*)(_t271 + 0x54));
												_t160 =  *((intOrPtr*)(_t271 + 0x58));
												goto L29;
											}
										}
										E00409A4A(_t271);
										goto L13;
									}
									L17:
									E00409A4A(_t271 + 0x4c);
									L9:
									_push( *((intOrPtr*)(_t271 + 0x5c)));
									L00408BFB(_t216, _t265, _t269, __eflags);
									_t216 = 0x80004005;
									goto L5;
								}
								_t146 =  *((intOrPtr*)(_t269 + 0x68));
								goto L19;
							}
							L13:
							E00409A4A(_t271 + 0x4c);
							_push( *((intOrPtr*)(_t271 + 0x5c)));
							L00408BFB(_t216, _t267, _t269, __eflags);
							_t216 = _t267;
							goto L5;
						}
					} else {
						_t216 = _t134;
						L5:
						E00409A4A(_t271 + 0x10);
						_t142 = _t216;
						goto L2;
					}
				} else {
					_t142 = 0x80004004;
					L2:
					return _t142;
				}
			}
































                                                            0x00412971
                                                            0x0041297c
                                                            0x0041298c
                                                            0x004129a0
                                                            0x004129b0
                                                            0x004129b4
                                                            0x004129b8
                                                            0x004129be
                                                            0x004129c1
                                                            0x004129c3
                                                            0x004129c5
                                                            0x004129da
                                                            0x004129df
                                                            0x004129e3
                                                            0x004129f3
                                                            0x004129f8
                                                            0x00412a10
                                                            0x00000000
                                                            0x00412a10
                                                            0x00000000
                                                            0x004129e5
                                                            0x004129ec
                                                            0x00412a15
                                                            0x00412a1c
                                                            0x00412a21
                                                            0x00412a24
                                                            0x00412d67
                                                            0x00412bfe
                                                            0x00412bfe
                                                            0x00412c01
                                                            0x00000000
                                                            0x00412c06
                                                            0x00412a35
                                                            0x00412a39
                                                            0x00412a3d
                                                            0x00412a46
                                                            0x00412a48
                                                            0x00412a4a
                                                            0x00412a64
                                                            0x00412a68
                                                            0x00412a6f
                                                            0x00412a74
                                                            0x00412a83
                                                            0x00412a86
                                                            0x00412a8f
                                                            0x00412a92
                                                            0x00412a98
                                                            0x00412a9b
                                                            0x00412a9d
                                                            0x00412a9f
                                                            0x00000000
                                                            0x00000000
                                                            0x00412aa1
                                                            0x00412aac
                                                            0x00412ab6
                                                            0x00412aba
                                                            0x00412abe
                                                            0x00412ac4
                                                            0x00412aca
                                                            0x00412acc
                                                            0x00412ace
                                                            0x00412add
                                                            0x00412ae2
                                                            0x00412ae4
                                                            0x00412ae8
                                                            0x00412ae8
                                                            0x00412ae8
                                                            0x00412ae8
                                                            0x00412aef
                                                            0x00412af4
                                                            0x00412af9
                                                            0x00412b06
                                                            0x00412b08
                                                            0x00412b0a
                                                            0x00000000
                                                            0x00412b10
                                                            0x00412b10
                                                            0x00412b14
                                                            0x00412b16
                                                            0x00412b31
                                                            0x00412b34
                                                            0x00412b36
                                                            0x00412b39
                                                            0x00412b39
                                                            0x00412b3f
                                                            0x00412b43
                                                            0x00412b44
                                                            0x00412b47
                                                            0x00412b4a
                                                            0x00412b4d
                                                            0x00412b54
                                                            0x00412b5b
                                                            0x00412b60
                                                            0x00412b63
                                                            0x00412b79
                                                            0x00412b7e
                                                            0x00412b81
                                                            0x00412b86
                                                            0x00412b86
                                                            0x00412b8b
                                                            0x00412b8e
                                                            0x00412b90
                                                            0x00412b93
                                                            0x00412b98
                                                            0x00412b9b
                                                            0x00412b9b
                                                            0x00412b93
                                                            0x00412ba3
                                                            0x00412ba7
                                                            0x00412bab
                                                            0x00412bac
                                                            0x00412bb1
                                                            0x00412bb4
                                                            0x00412c0f
                                                            0x00412c14
                                                            0x00412c1f
                                                            0x00412c21
                                                            0x00412c95
                                                            0x00412c95
                                                            0x00412c98
                                                            0x00412d38
                                                            0x00412d3f
                                                            0x00412d44
                                                            0x00412d47
                                                            0x00412d4c
                                                            0x00412d4f
                                                            0x00412d54
                                                            0x00412d57
                                                            0x00000000
                                                            0x00412d5c
                                                            0x00412ca0
                                                            0x00412ca6
                                                            0x00412ca8
                                                            0x00412cb9
                                                            0x00412cb9
                                                            0x00412caa
                                                            0x00412caa
                                                            0x00412cad
                                                            0x00412cb3
                                                            0x00412cb3
                                                            0x00412cbf
                                                            0x00412cc2
                                                            0x00412cca
                                                            0x00412cd3
                                                            0x00412cd6
                                                            0x00412cd9
                                                            0x00412cde
                                                            0x00412ce0
                                                            0x00412d27
                                                            0x00412d27
                                                            0x00412d2e
                                                            0x00412d36
                                                            0x00000000
                                                            0x00412ce2
                                                            0x00412ce2
                                                            0x00412ce8
                                                            0x00412d10
                                                            0x00412d15
                                                            0x00412d17
                                                            0x00412d24
                                                            0x00412d24
                                                            0x00000000
                                                            0x00412d17
                                                            0x00412cf5
                                                            0x00412cfa
                                                            0x00412cfd
                                                            0x00412cff
                                                            0x00412d08
                                                            0x00412d08
                                                            0x00412c75
                                                            0x00412c75
                                                            0x00412c78
                                                            0x00412c7d
                                                            0x00412c80
                                                            0x00412c85
                                                            0x00412c88
                                                            0x00000000
                                                            0x00412c8d
                                                            0x00412ce0
                                                            0x00412c26
                                                            0x00412c2b
                                                            0x00412c2d
                                                            0x00000000
                                                            0x00000000
                                                            0x00412c2f
                                                            0x00412c35
                                                            0x00412c49
                                                            0x00412c4e
                                                            0x00412c50
                                                            0x00412c5d
                                                            0x00412c5d
                                                            0x00412c72
                                                            0x00412c37
                                                            0x00412c42
                                                            0x00412c42
                                                            0x00000000
                                                            0x00412bb6
                                                            0x00412bbf
                                                            0x00412bc4
                                                            0x00412bc7
                                                            0x00412bd7
                                                            0x00412bc9
                                                            0x00412bcb
                                                            0x00412bcb
                                                            0x00412bdc
                                                            0x00412bdf
                                                            0x00412be4
                                                            0x00412be7
                                                            0x00412bee
                                                            0x00412bf1
                                                            0x00412bf9
                                                            0x00000000
                                                            0x00412bf9
                                                            0x00412bb4
                                                            0x00412b65
                                                            0x00412b68
                                                            0x00000000
                                                            0x00412b68
                                                            0x00412b18
                                                            0x00412b1b
                                                            0x00000000
                                                            0x00000000
                                                            0x00412b24
                                                            0x00412b27
                                                            0x00412b29
                                                            0x00000000
                                                            0x00412b29
                                                            0x00412b0a
                                                            0x00412ad3
                                                            0x00000000
                                                            0x00412ad3
                                                            0x00412a76
                                                            0x00412a79
                                                            0x004129fa
                                                            0x004129fa
                                                            0x004129fd
                                                            0x00412a03
                                                            0x00000000
                                                            0x00412a03
                                                            0x00412a6a
                                                            0x00000000
                                                            0x00412a6a
                                                            0x00412a4c
                                                            0x00412a4f
                                                            0x00412a54
                                                            0x00412a57
                                                            0x00412a5d
                                                            0x00000000
                                                            0x00412a5d
                                                            0x004129c7
                                                            0x004129c7
                                                            0x004129c9
                                                            0x004129cc
                                                            0x004129d2
                                                            0x00000000
                                                            0x004129d4
                                                            0x0041298e
                                                            0x0041298e
                                                            0x00412993
                                                            0x00412998
                                                            0x00412998

                                                            APIs
                                                              • Part of subcall function 00411CBC: EnterCriticalSection.KERNEL32(?), ref: 00411CC5
                                                              • Part of subcall function 00411CBC: LeaveCriticalSection.KERNEL32(?), ref: 00411CCF
                                                            • ~_Task_impl.LIBCPMT ref: 00412B68
                                                            • ~_Task_impl.LIBCPMT ref: 00412BF1
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSectionTask_impl$EnterLeave
                                                            • String ID:
                                                            • API String ID: 780354280-0
                                                            • Opcode ID: 5db38160026231b1d05107a20a45b2055f218631d3f834470e5cee2c662f684f
                                                            • Instruction ID: f3c787646c1c79f05cba076eed6d765f51bab2c113c252654ac499985378fac1
                                                            • Opcode Fuzzy Hash: 5db38160026231b1d05107a20a45b2055f218631d3f834470e5cee2c662f684f
                                                            • Instruction Fuzzy Hash: 4AD18C71100248DFCF24EF65CA909EE37B5BF08304B10452EF956972A2EB79ED95DB48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410F49, Relevance: 3.1, APIs: 2, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E00410F49(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t53;
				signed int _t56;
				long _t57;
				signed int _t59;
				intOrPtr* _t67;
				signed char _t68;
				signed int _t72;
				void* _t81;
				signed int _t89;
				signed int _t107;
				intOrPtr _t109;
				intOrPtr _t112;
				signed int _t114;
				void* _t116;

				_t86 = __ebx;
				_push(0x5c);
				E00416B21(E00421D1D, __ebx, __edi, __esi);
				E00401647(_t116 - 0x18, _t116,  *((intOrPtr*)(_t116 + 8)));
				 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
				_t53 = E004099B4(_t116 - 0x18, 0x5c);
				if(_t53 <= 0) {
					L6:
					E00404082(_t116 - 0x24, _t116, _t116 - 0x18);
					_t114 =  *(_t116 - 0x14);
					 *(_t116 - 4) = 1;
					while(1) {
						_t112 =  *((intOrPtr*)(_t116 - 0x18));
						_t56 = E00410B45(_t86, _t112, _t114, __eflags, _t112); // executed
						__eflags = _t56;
						if(_t56 != 0) {
							break;
						}
						_t57 = GetLastError();
						__eflags = _t57 - 0xb7;
						if(_t57 == 0xb7) {
							E0040320A(_t116 - 0x40);
							_push(_t112);
							 *(_t116 - 4) = 2;
							_t59 = E00409371(_t86, _t116 - 0x68, _t110, _t112, _t114, __eflags); // executed
							__eflags = _t59;
							if(__eflags != 0) {
								__eflags =  *(_t116 - 0x48) >> 0x00000004 & 0x00000001;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t116 - 0x40)));
									 *(_t116 - 4) = 1;
									L00408BFB(_t86, _t112, _t114, __eflags);
									L21:
									E00408639(_t116 - 0x18, _t116, _t116 - 0x24);
									while(1) {
										__eflags = _t114 -  *(_t116 - 0x14);
										if(__eflags >= 0) {
											break;
										}
										_t114 = E00406E0F(_t116 - 0x18, 0x5c, _t114 + 1);
										__eflags = _t114;
										if(_t114 < 0) {
											_t114 =  *(_t116 - 0x14);
										}
										_t67 = E00408730(_t116 - 0x18, _t116 - 0x30, _t114);
										 *(_t116 - 4) = 4;
										_t68 = E00410B45(_t86, _t112, _t114, __eflags,  *_t67);
										_push( *((intOrPtr*)(_t116 - 0x30)));
										asm("sbb bl, bl");
										_t86 =  ~_t68 + 1;
										 *(_t116 - 4) = 1;
										L00408BFB(_t86, _t112, _t114, __eflags);
										__eflags = _t86;
										if(__eflags != 0) {
											goto L27;
										} else {
											continue;
										}
										goto L29;
									}
									_push( *((intOrPtr*)(_t116 - 0x24)));
									L00408BFB(_t86, _t112, _t114, __eflags);
									_push( *((intOrPtr*)(_t116 - 0x18)));
									L00408BFB(_t86, _t112, _t114, __eflags);
									_t72 = 1;
								} else {
									_t89 = 0;
									goto L16;
								}
							} else {
								_t89 = 1;
								L16:
								_push( *((intOrPtr*)(_t116 - 0x40)));
								L00408BFB(_t89, _t112, _t114, __eflags);
								goto L17;
							}
						} else {
							_t114 = E004099B4(_t116 - 0x18, 0x5c);
							__eflags = _t114;
							if(__eflags < 0 || __eflags == 0) {
								_push( *((intOrPtr*)(_t116 - 0x24)));
								L00408BFB(_t86, _t112, _t114, __eflags);
								_push(_t112);
								L00408BFB(_t86, _t112, _t114, __eflags);
								_t72 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((short*)(_t112 + _t114 * 2 - 2)) - 0x3a;
								if(__eflags == 0) {
									L27:
									_t89 = 0;
									L17:
									_push( *((intOrPtr*)(_t116 - 0x24)));
									L00408BFB(_t89, _t112, _t114, __eflags);
									_push( *((intOrPtr*)(_t116 - 0x18)));
									L00408BFB(_t89, _t112, _t114, __eflags);
									_t72 = _t89;
								} else {
									_t81 = E00408730(_t116 - 0x18, _t116 - 0x30, _t114);
									 *(_t116 - 4) = 3;
									E00408639(_t116 - 0x18, _t116, _t81);
									_push( *((intOrPtr*)(_t116 - 0x30)));
									 *(_t116 - 4) = 1;
									L00408BFB(_t86, _t112, _t114, __eflags);
									continue;
								}
							}
						}
						L29:
						goto L30;
					}
					goto L21;
				} else {
					_t107 =  *(_t116 - 0x14);
					_t110 = _t107 - 1;
					if(_t53 != _t107 - 1) {
						goto L6;
					} else {
						if(_t107 != 3) {
							L5:
							E00406DDA(_t116 - 0x18, _t53, 1);
							goto L6;
						} else {
							_t109 =  *((intOrPtr*)(_t116 - 0x18));
							_t121 =  *((short*)(_t109 + 2)) - 0x3a;
							if( *((short*)(_t109 + 2)) != 0x3a) {
								goto L5;
							} else {
								_push(_t109);
								L00408BFB(__ebx, __edi, __esi, _t121);
								_t72 = 1;
							}
						}
					}
				}
				L30:
				return E00416BF9(_t72);
			}

















                                                            0x00410f49
                                                            0x00410f49
                                                            0x00410f50
                                                            0x00410f5b
                                                            0x00410f60
                                                            0x00410f69
                                                            0x00410f70
                                                            0x00410fa3
                                                            0x00410faa
                                                            0x00410faf
                                                            0x00410fb2
                                                            0x00411012
                                                            0x00411012
                                                            0x00411016
                                                            0x0041101b
                                                            0x0041101d
                                                            0x00000000
                                                            0x00000000
                                                            0x00410fb8
                                                            0x00410fbe
                                                            0x00410fc3
                                                            0x00411024
                                                            0x00411029
                                                            0x0041102d
                                                            0x00411031
                                                            0x00411036
                                                            0x00411038
                                                            0x00411062
                                                            0x00411064
                                                            0x0041106a
                                                            0x0041106d
                                                            0x00411071
                                                            0x00411077
                                                            0x0041107e
                                                            0x004110cb
                                                            0x004110cb
                                                            0x004110ce
                                                            0x00000000
                                                            0x00000000
                                                            0x00411091
                                                            0x00411093
                                                            0x00411095
                                                            0x00411097
                                                            0x00411097
                                                            0x004110a2
                                                            0x004110a9
                                                            0x004110ad
                                                            0x004110b2
                                                            0x004110b9
                                                            0x004110bb
                                                            0x004110bd
                                                            0x004110c1
                                                            0x004110c7
                                                            0x004110c9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004110c9
                                                            0x004110d0
                                                            0x004110d3
                                                            0x004110d8
                                                            0x004110db
                                                            0x004110e0
                                                            0x00411066
                                                            0x00411066
                                                            0x00000000
                                                            0x00411066
                                                            0x0041103a
                                                            0x0041103a
                                                            0x0041103c
                                                            0x0041103c
                                                            0x0041103f
                                                            0x00000000
                                                            0x00411044
                                                            0x00410fc5
                                                            0x00410fcf
                                                            0x00410fd1
                                                            0x00410fd3
                                                            0x004110eb
                                                            0x004110ee
                                                            0x004110f3
                                                            0x004110f4
                                                            0x004110f9
                                                            0x004110f9
                                                            0x00410fdf
                                                            0x00410fdf
                                                            0x00410fe5
                                                            0x004110e4
                                                            0x004110e4
                                                            0x00411045
                                                            0x00411045
                                                            0x00411048
                                                            0x0041104d
                                                            0x00411050
                                                            0x00411055
                                                            0x00410feb
                                                            0x00410ff3
                                                            0x00410ffc
                                                            0x00411000
                                                            0x00411005
                                                            0x00411008
                                                            0x0041100c
                                                            0x00000000
                                                            0x00411011
                                                            0x00410fe5
                                                            0x00410fd3
                                                            0x004110fb
                                                            0x00000000
                                                            0x004110fb
                                                            0x00000000
                                                            0x00410f72
                                                            0x00410f72
                                                            0x00410f75
                                                            0x00410f7a
                                                            0x00000000
                                                            0x00410f7c
                                                            0x00410f7f
                                                            0x00410f98
                                                            0x00410f9e
                                                            0x00000000
                                                            0x00410f81
                                                            0x00410f81
                                                            0x00410f84
                                                            0x00410f89
                                                            0x00000000
                                                            0x00410f8b
                                                            0x00410f8b
                                                            0x00410f8c
                                                            0x00410f91
                                                            0x00410f91
                                                            0x00410f89
                                                            0x00410f7f
                                                            0x00410f7a
                                                            0x004110fc
                                                            0x00411102

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410F50
                                                            • GetLastError.KERNEL32(?,?,0000005C), ref: 00410FB8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ErrorH_prolog3Last
                                                            • String ID:
                                                            • API String ID: 685212868-0
                                                            • Opcode ID: 26b8e7ef6f6e6a1153239e8f0ac4f4cbe582f211056244c430997547e544c5d7
                                                            • Instruction ID: 2b8b99b76f60da9ec8f06de1b1a7b26d76a5bde200671efe753bb86a2765d737
                                                            • Opcode Fuzzy Hash: 26b8e7ef6f6e6a1153239e8f0ac4f4cbe582f211056244c430997547e544c5d7
                                                            • Instruction Fuzzy Hash: 8151B131C04149DACF11E791C992AEEBB749F15308F10406FF281731E3CE7A69C6EAA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00413CE0, Relevance: 3.1, APIs: 2, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E00413CE0(void* __ecx, intOrPtr __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				signed int _t54;
				intOrPtr* _t56;
				char _t64;
				char _t68;
				void* _t69;
				char _t75;
				char _t77;
				char _t78;
				signed int _t82;
				intOrPtr _t83;
				signed int _t84;
				intOrPtr _t98;
				char _t99;
				char _t102;
				intOrPtr _t103;
				void* _t104;
				signed int _t105;
				void* _t107;
				void* _t108;

				_t95 = __edx;
				_t105 = _t107 - 0x1004;
				E00417EA0(0x1004);
				_push(0xffffffff);
				_push(E00422276);
				_push( *[fs:0x0]);
				_t108 = _t107 - 0x2c;
				_t53 =  *0x42d330; // 0x6d29bea0
				_t54 = _t53 ^ _t105;
				 *(_t105 + 0x1000) = _t54;
				_push(_t54);
				 *[fs:0x0] = _t105 - 0xc;
				_t56 =  *((intOrPtr*)(_t105 + 0x1010));
				_t97 =  *((intOrPtr*)(_t105 + 0x100c));
				 *((intOrPtr*)(_t56 + 4)) = 0;
				 *((intOrPtr*)(_t105 - 0x28)) = _t56;
				 *((char*)( *_t56)) = 0;
				 *(_t105 - 0x18) =  *(_t105 - 0x18) | 0xffffffff;
				 *((intOrPtr*)(_t105 - 0x34)) = __edx;
				 *((intOrPtr*)(_t105 - 0x30)) =  *((intOrPtr*)(_t105 + 0x100c));
				 *(_t105 - 4) = 0;
				if(E0040995B(__ecx) != 0) {
					 *((intOrPtr*)(_t105 - 0x14)) = E00408C55(__edx);
					 *((intOrPtr*)(_t105 - 0x24)) = E00408C55(_t97);
					_t102 = 0;
					__eflags = 0;
					 *((char*)(_t105 - 0xd)) = 0;
					 *((intOrPtr*)(_t105 - 0x20)) = 0;
					 *((intOrPtr*)(_t105 - 0x1c)) = 0;
					while(1) {
						L4:
						_t64 = E00409578(_t105 - 0x18, _t105 + _t102, 0x1000 - _t102, _t105 - 0x2c); // executed
						__eflags = _t64;
						if(_t64 == 0) {
							goto L1;
						}
						_t68 =  *((intOrPtr*)(_t105 - 0x2c));
						__eflags = _t68;
						if(_t68 == 0) {
							L19:
							_t82 = 1;
						} else {
							_t104 = _t102 + _t68;
							_t99 = 0;
							__eflags = 0;
							_t84 = _t105;
							while(1) {
								__eflags =  *((char*)(_t105 - 0xd));
								_t69 = _t104;
								if( *((char*)(_t105 - 0xd)) != 0) {
								}
								L8:
								__eflags = _t99 - _t69 -  *((intOrPtr*)(_t105 - 0x24));
								if(_t99 > _t69 -  *((intOrPtr*)(_t105 - 0x24))) {
									L16:
									_t102 = _t104 - _t99;
									 *((intOrPtr*)(_t105 - 0x20)) =  *((intOrPtr*)(_t105 - 0x20)) + _t99;
									asm("adc dword [ebp-0x1c], 0x0");
									E00416C30(_t84, _t99, _t102, _t105, _t105 + _t99, _t102);
									_t108 = _t108 + 0xc;
									__eflags =  *((intOrPtr*)(_t105 - 0x1c));
									if( *((intOrPtr*)(_t105 - 0x1c)) > 0) {
										L18:
										__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t105 - 0x28)) + 4));
										_t82 = _t84 & 0xffffff00 |  *((intOrPtr*)( *((intOrPtr*)(_t105 - 0x28)) + 4)) == 0x00000000;
									} else {
										__eflags =  *((intOrPtr*)(_t105 - 0x20)) - 0x100000;
										if( *((intOrPtr*)(_t105 - 0x20)) <= 0x100000) {
											goto L4;
										} else {
											goto L18;
										}
									}
								} else {
									_t77 = E00415060(_t84,  *((intOrPtr*)(_t105 - 0x30)),  *((intOrPtr*)(_t105 - 0x24)));
									_t108 = _t108 + 0xc;
									__eflags = _t77;
									if(_t77 == 0) {
										goto L19;
									} else {
										_t78 =  *_t84;
										 *((char*)(_t105 - 0x38)) = _t78;
										__eflags = _t78;
										if(__eflags == 0) {
											goto L1;
										} else {
											E00408D38( *((intOrPtr*)(_t105 - 0x28)), _t95, __eflags,  *((intOrPtr*)(_t105 - 0x38)));
											L12:
											_t99 = _t99 + 1;
											_t84 = _t84 + 1;
											while(1) {
												__eflags =  *((char*)(_t105 - 0xd));
												_t69 = _t104;
												if( *((char*)(_t105 - 0xd)) != 0) {
												}
												goto L13;
											}
											goto L8;
										}
									}
								}
								goto L2;
								L13:
								__eflags = _t99 - _t69 -  *((intOrPtr*)(_t105 - 0x14));
								if(_t99 > _t69 -  *((intOrPtr*)(_t105 - 0x14))) {
									goto L16;
								} else {
									_t75 = E00415060(_t84,  *((intOrPtr*)(_t105 - 0x34)),  *((intOrPtr*)(_t105 - 0x14)));
									_t108 = _t108 + 0xc;
									__eflags = _t75;
									if(_t75 != 0) {
										goto L12;
									} else {
										_t99 = _t99 +  *((intOrPtr*)(_t105 - 0x14));
										_t84 = _t84 +  *((intOrPtr*)(_t105 - 0x14));
										 *((char*)(_t105 - 0xd)) = 1;
									}
									continue;
								}
								goto L2;
							}
						}
						goto L2;
					}
					goto L1;
				} else {
					L1:
					_t82 = 0;
				}
				L2:
				 *(_t105 - 4) =  *(_t105 - 4) | 0xffffffff;
				L0040969F(_t105 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t105 - 0xc));
				_pop(_t98);
				_pop(_t103);
				_pop(_t83);
				return E00416B12(_t82, _t83,  *(_t105 + 0x1000) ^ _t105, _t95, _t98, _t103);
			}


























                                                            0x00413ce0
                                                            0x00413ce1
                                                            0x00413ced
                                                            0x00413cf2
                                                            0x00413cf4
                                                            0x00413cff
                                                            0x00413d00
                                                            0x00413d03
                                                            0x00413d08
                                                            0x00413d0a
                                                            0x00413d13
                                                            0x00413d17
                                                            0x00413d1d
                                                            0x00413d23
                                                            0x00413d2b
                                                            0x00413d2e
                                                            0x00413d35
                                                            0x00413d37
                                                            0x00413d3b
                                                            0x00413d3e
                                                            0x00413d45
                                                            0x00413d4f
                                                            0x00413d8d
                                                            0x00413d95
                                                            0x00413d98
                                                            0x00413d98
                                                            0x00413d9a
                                                            0x00413d9e
                                                            0x00413da1
                                                            0x00413da4
                                                            0x00413da4
                                                            0x00413db8
                                                            0x00413dbd
                                                            0x00413dbf
                                                            0x00000000
                                                            0x00000000
                                                            0x00413dc1
                                                            0x00413dc4
                                                            0x00413dc6
                                                            0x00413e74
                                                            0x00413e74
                                                            0x00413dcc
                                                            0x00413dcc
                                                            0x00413dce
                                                            0x00413dce
                                                            0x00413dd0
                                                            0x00413dd3
                                                            0x00413dd3
                                                            0x00413dd7
                                                            0x00413dd9
                                                            0x00413dd9
                                                            0x00413ddb
                                                            0x00413dde
                                                            0x00413de0
                                                            0x00413e37
                                                            0x00413e37
                                                            0x00413e39
                                                            0x00413e41
                                                            0x00413e4a
                                                            0x00413e4f
                                                            0x00413e52
                                                            0x00413e56
                                                            0x00413e65
                                                            0x00413e68
                                                            0x00413e6c
                                                            0x00413e58
                                                            0x00413e58
                                                            0x00413e5f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00413e5f
                                                            0x00413de2
                                                            0x00413de9
                                                            0x00413dee
                                                            0x00413df1
                                                            0x00413df3
                                                            0x00000000
                                                            0x00413df5
                                                            0x00413df5
                                                            0x00413df7
                                                            0x00413dfa
                                                            0x00413dfc
                                                            0x00000000
                                                            0x00413e02
                                                            0x00413e08
                                                            0x00413e0d
                                                            0x00413e0d
                                                            0x00413e0e
                                                            0x00413dd3
                                                            0x00413dd3
                                                            0x00413dd7
                                                            0x00413dd9
                                                            0x00413dd9
                                                            0x00000000
                                                            0x00413dd9
                                                            0x00000000
                                                            0x00413dd3
                                                            0x00413dfc
                                                            0x00413df3
                                                            0x00000000
                                                            0x00413e11
                                                            0x00413e14
                                                            0x00413e16
                                                            0x00000000
                                                            0x00413e18
                                                            0x00413e1f
                                                            0x00413e24
                                                            0x00413e27
                                                            0x00413e29
                                                            0x00000000
                                                            0x00413e2b
                                                            0x00413e2b
                                                            0x00413e2e
                                                            0x00413e31
                                                            0x00413e31
                                                            0x00000000
                                                            0x00413e29
                                                            0x00000000
                                                            0x00413e16
                                                            0x00413dd3
                                                            0x00000000
                                                            0x00413dc6
                                                            0x00000000
                                                            0x00413d51
                                                            0x00413d51
                                                            0x00413d51
                                                            0x00413d51
                                                            0x00413d53
                                                            0x00413d53
                                                            0x00413d5a
                                                            0x00413d64
                                                            0x00413d6c
                                                            0x00413d6d
                                                            0x00413d6e
                                                            0x00413d83

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: 78ef38fa871b7c9593758ba90e846cda18cf4e2d7fe881e8a5c084f9524df316
                                                            • Instruction ID: 9072c5b9033ec645a03ce027045230414212cc1cb81a3bdc800e690e571dd37c
                                                            • Opcode Fuzzy Hash: 78ef38fa871b7c9593758ba90e846cda18cf4e2d7fe881e8a5c084f9524df316
                                                            • Instruction Fuzzy Hash: D5519072D002489FCF21DFA9D980BDEBBB4FF08355F14416AE855B3291D7389A84CB68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C093, Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 97%
                                                            			E0040C093(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				long _t29;
				intOrPtr* _t30;
				intOrPtr* _t36;
				intOrPtr* _t43;
				void* _t56;
				long _t60;
				void* _t61;

				_t59 = __esi;
				_t56 = __edx;
				_push(0xc);
				E00416B21(E00421A6F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t61 - 0x18)) = __ecx;
				 *((intOrPtr*)(_t61 - 0x10)) = 0;
				_t58 = 0;
				 *(_t61 - 4) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *(_t61 - 4) = 1;
				_t63 =  *((intOrPtr*)(_t61 + 0x10));
				if( *((intOrPtr*)(_t61 + 0x10)) == 0) {
					__eflags =  *((intOrPtr*)(_t61 + 0x14));
					if(__eflags != 0) {
						L12:
						_t29 = E0040BD49(0,  *((intOrPtr*)(_t61 - 0x18)), _t56, _t58, _t59, _t64,  *((intOrPtr*)(_t61 + 8)),  *((intOrPtr*)(_t61 + 0xc)),  *((intOrPtr*)(_t61 + 0x14)), _t58,  *((intOrPtr*)(_t61 + 0x18))); // executed
						_t60 = _t29;
						 *(_t61 - 4) = 0;
						if(_t58 != 0) {
							 *((intOrPtr*)( *_t58 + 8))(_t58);
						}
						L14:
						_t30 =  *((intOrPtr*)(_t61 - 0x10));
						 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
						if(_t30 != 0) {
							 *((intOrPtr*)( *_t30 + 8))(_t30);
						}
						return E00416BF9(_t60);
					}
					_t36 = E00408BD0(0, 0, __eflags, 0x10);
					__eflags = _t36;
					if(_t36 == 0) {
						_t59 = 0;
						__eflags = 0;
					} else {
						_t59 = E0040B3F7(_t36);
					}
					E00406200(_t61 - 0x10, _t59);
					__eflags = E00409D98(_t59,  *((intOrPtr*)( *((intOrPtr*)(_t61 - 0x18)) + 4)));
					if(__eflags != 0) {
						 *((intOrPtr*)(_t61 + 0x14)) =  *((intOrPtr*)(_t61 - 0x10));
						goto L12;
					} else {
						_t60 = GetLastError();
						goto L14;
					}
				}
				_t43 = E00408BD0(0, 0, _t63, 8);
				_t64 = _t43;
				if(_t43 == 0) {
					_t43 = 0;
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t43 + 4)) = 0;
					 *_t43 = 0x4239fc;
				}
				E00406200(_t61 - 0x14, _t43);
				_t58 =  *((intOrPtr*)(_t61 - 0x14));
				goto L12;
			}










                                                            0x0040c093
                                                            0x0040c093
                                                            0x0040c093
                                                            0x0040c09a
                                                            0x0040c09f
                                                            0x0040c0a4
                                                            0x0040c0a7
                                                            0x0040c0a9
                                                            0x0040c0ac
                                                            0x0040c0af
                                                            0x0040c0b3
                                                            0x0040c0b6
                                                            0x0040c0df
                                                            0x0040c0e2
                                                            0x0040c127
                                                            0x0040c137
                                                            0x0040c13c
                                                            0x0040c13e
                                                            0x0040c143
                                                            0x0040c148
                                                            0x0040c148
                                                            0x0040c14b
                                                            0x0040c14b
                                                            0x0040c14e
                                                            0x0040c154
                                                            0x0040c159
                                                            0x0040c159
                                                            0x0040c163
                                                            0x0040c163
                                                            0x0040c0e6
                                                            0x0040c0ec
                                                            0x0040c0ee
                                                            0x0040c0fb
                                                            0x0040c0fb
                                                            0x0040c0f0
                                                            0x0040c0f7
                                                            0x0040c0f7
                                                            0x0040c101
                                                            0x0040c113
                                                            0x0040c115
                                                            0x0040c124
                                                            0x00000000
                                                            0x0040c117
                                                            0x0040c11d
                                                            0x00000000
                                                            0x0040c11d
                                                            0x0040c115
                                                            0x0040c0ba
                                                            0x0040c0c0
                                                            0x0040c0c2
                                                            0x0040c0cf
                                                            0x0040c0cf
                                                            0x0040c0c4
                                                            0x0040c0c4
                                                            0x0040c0c7
                                                            0x0040c0c7
                                                            0x0040c0d5
                                                            0x0040c0da
                                                            0x00000000

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040C09A
                                                            • GetLastError.KERNEL32(?,00000000,0000000C), ref: 0040C117
                                                              • Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ErrorException@8H_prolog3LastThrow_malloc
                                                            • String ID:
                                                            • API String ID: 699586071-0
                                                            • Opcode ID: 6f71e3ce7b022161a9afa57649c5e0132424b33a35054e030d14f24926955252
                                                            • Instruction ID: a1ba42dc0e2565b842cce3423af7a9164aaecf9ecffcd2708a80ee49d7a1a354
                                                            • Opcode Fuzzy Hash: 6f71e3ce7b022161a9afa57649c5e0132424b33a35054e030d14f24926955252
                                                            • Instruction Fuzzy Hash: E7217E71900256DFCB10EFE5C8818AFBBB1AF44310F11417EE501BB292CB388E51DB99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00413849, Relevance: 3.0, APIs: 2, Instructions: 44comCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 25%
                                                            			E00413849() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t18;
				signed int _t20;
				signed int _t22;
				signed int _t24;

				if(GetVersion() < 0x106) {
					L4:
					return 0;
				}
				_v8 = _v8 & 0x00000000;
				__imp__CoCreateInstance(0x424144, 0, 0x15, 0x424468,  &_v8); // executed
				_t18 = _v8;
				if(_t18 == 0) {
					goto L4;
				}
				 *((intOrPtr*)( *_t18 + 0xc))(_t18);
				_t20 = _v8;
				_v12 = _v12 & 0x00000000;
				 *((intOrPtr*)( *_t20))(_t20, 0x424154,  &_v12);
				_t22 = _v12;
				if(_t22 == 0) {
					goto L4;
				}
				_v16 = _v16 & 0x00000000;
				 *((intOrPtr*)( *_t22))(_t22, 0x424164,  &_v16);
				_t24 = _v16;
				if(_t24 == 0) {
					goto L4;
				}
				return _t24;
			}










                                                            0x0041385a
                                                            0x004138ba
                                                            0x00000000
                                                            0x004138ba
                                                            0x0041385c
                                                            0x00413872
                                                            0x00413878
                                                            0x0041387d
                                                            0x00000000
                                                            0x00000000
                                                            0x00413882
                                                            0x00413885
                                                            0x00413888
                                                            0x00413898
                                                            0x0041389a
                                                            0x0041389f
                                                            0x00000000
                                                            0x00000000
                                                            0x004138a1
                                                            0x004138b1
                                                            0x004138b3
                                                            0x004138b8
                                                            0x00000000
                                                            0x00000000
                                                            0x004138bd

                                                            APIs
                                                            • GetVersion.KERNEL32 ref: 0041384F
                                                            • CoCreateInstance.OLE32(00424144,00000000,00000015,00424468,00000000), ref: 00413872
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateInstanceVersion
                                                            • String ID:
                                                            • API String ID: 1462612201-0
                                                            • Opcode ID: 1df9f16ccb6b58e935b73724829fc73732dd41c85f6bb66b2655cf45922927b1
                                                            • Instruction ID: 000772e63e32c23fd11f283ae19779ba3719b23df6ed4c586ad162505f51138c
                                                            • Opcode Fuzzy Hash: 1df9f16ccb6b58e935b73724829fc73732dd41c85f6bb66b2655cf45922927b1
                                                            • Instruction Fuzzy Hash: E401DE74B40209AFEB10DFA0D849BAEB7B9EF84706F504495F501E7294D778DA44CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411356, Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E00411356(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t27;
				long _t28;
				void* _t32;
				void* _t34;
				intOrPtr* _t37;
				void* _t38;
				void* _t39;
				signed int _t41;

				_t39 = __eflags;
				_t35 = __edi;
				_t34 = __edx;
				_t29 = __ebx;
				_push(0x10);
				E00416B21(E00421DA7, __ebx, __edi, __esi);
				 *((char*)(_t38 - 0x1c)) = 0;
				E0040320A(_t38 - 0x18);
				_t37 =  *((intOrPtr*)(_t38 + 0xc));
				while(1) {
					 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
					_push(_t37);
					_push( *((intOrPtr*)(_t38 + 8)));
					_t19 = E004112DF(_t29, _t38 - 0x1c, _t35, _t37, _t39); // executed
					_t32 = _t38 - 0x1c;
					if(_t19 == 0) {
						break;
					}
					_t20 = E00410ED7(_t32);
					 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
					_t32 = _t38 - 0x1c;
					__eflags = _t20;
					if(__eflags == 0) {
						L8:
						E00410EFB(_t29, _t32, _t35, _t37, _t41);
						goto L9;
					} else {
						E00410EFB(_t29, _t32, _t35, _t37, __eflags);
						_push( *_t37);
						__eflags = E004093A5(_t29, _t34, _t35, _t37, __eflags);
						if(__eflags != 0) {
							L5:
							 *((char*)(_t38 - 0x1c)) = 0;
							E0040320A(_t38 - 0x18);
							continue;
						} else {
							_t27 = E00410B45(_t29, _t35, _t37, __eflags,  *_t37); // executed
							__eflags = _t27;
							if(_t27 != 0) {
								_t22 = 1;
							} else {
								_t28 = GetLastError();
								__eflags = _t28 - 0xb7;
								if(_t28 != 0xb7) {
									L9:
									_t22 = 0;
								} else {
									goto L5;
								}
							}
						}
					}
					return E00416BF9(_t22);
				}
				_t14 = _t38 - 4;
				 *_t14 =  *(_t38 - 4) | 0xffffffff;
				_t41 =  *_t14;
				goto L8;
			}














                                                            0x00411356
                                                            0x00411356
                                                            0x00411356
                                                            0x00411356
                                                            0x00411356
                                                            0x0041135d
                                                            0x00411365
                                                            0x00411369
                                                            0x0041136e
                                                            0x004113b7
                                                            0x004113b7
                                                            0x004113bb
                                                            0x004113bc
                                                            0x004113c2
                                                            0x004113c7
                                                            0x004113cc
                                                            0x00000000
                                                            0x00000000
                                                            0x00411373
                                                            0x00411378
                                                            0x0041137c
                                                            0x0041137f
                                                            0x00411381
                                                            0x004113d2
                                                            0x004113d2
                                                            0x00000000
                                                            0x00411383
                                                            0x00411383
                                                            0x00411388
                                                            0x0041138f
                                                            0x00411391
                                                            0x004113ab
                                                            0x004113ae
                                                            0x004113b2
                                                            0x00000000
                                                            0x00411393
                                                            0x00411395
                                                            0x0041139a
                                                            0x0041139c
                                                            0x004113e1
                                                            0x0041139e
                                                            0x0041139e
                                                            0x004113a4
                                                            0x004113a9
                                                            0x004113d7
                                                            0x004113d7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004113a9
                                                            0x0041139c
                                                            0x00411391
                                                            0x004113de
                                                            0x004113de
                                                            0x004113ce
                                                            0x004113ce
                                                            0x004113ce
                                                            0x00000000

                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000010), ref: 0041139E
                                                            • __EH_prolog3.LIBCMT ref: 0041135D
                                                              • Part of subcall function 004112DF: __EH_prolog3.LIBCMT ref: 004112E6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1123136255-0
                                                            • Opcode ID: 96578f8bff04cf8a7b456c39c0e24a1343eb24f2b3f1e351b7eec449cc7ada3b
                                                            • Instruction ID: 4d74e45737cbc16d5ab25d606c96acb1679b630d10f22d458e1cb79225f15e9c
                                                            • Opcode Fuzzy Hash: 96578f8bff04cf8a7b456c39c0e24a1343eb24f2b3f1e351b7eec449cc7ada3b
                                                            • Instruction Fuzzy Hash: D0016130804209D6EF10EFA2C4127EE7B30AF21318F50455EE9B5725E6CB7D5ACA9A2D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004094D4, Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E004094D4(void** __ecx, long _a4, long _a8, long _a12, long* _a16) {
				long _v8;
				long _v12;
				long _t12;
				long _t13;
				long* _t14;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_v8 = _a8;
				_v12 = _t12;
				_t13 = SetFilePointer( *__ecx, _t12,  &_v8, _a12); // executed
				_v12 = _t13;
				if(_t13 != 0xffffffff || GetLastError() == 0) {
					_t14 = _a16;
					 *_t14 = _v12;
					_t14[1] = _v8;
					return 1;
				} else {
					return 0;
				}
			}








                                                            0x004094d7
                                                            0x004094d8
                                                            0x004094df
                                                            0x004094e2
                                                            0x004094ec
                                                            0x004094ef
                                                            0x004094f5
                                                            0x004094fb
                                                            0x0040950b
                                                            0x00409511
                                                            0x00409516
                                                            0x00000000
                                                            0x00409507
                                                            0x00000000
                                                            0x00409507

                                                            APIs
                                                            • SetFilePointer.KERNELBASE(?,?,?,?), ref: 004094EF
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 004094FD
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: fa3f465384efa713828032d14a6a94ea8478530fef4b6e82bf37657b339afb13
                                                            • Instruction ID: fbd6efd8cf4175c4798840f9bed2d540fd355ead534814f07e711e1958e42c6f
                                                            • Opcode Fuzzy Hash: fa3f465384efa713828032d14a6a94ea8478530fef4b6e82bf37657b339afb13
                                                            • Instruction Fuzzy Hash: 73F03AB9A00208FFCF05CFA4D8848AE7BB4EF89310B108569F815A7395C734DE41EB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004179F7, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004179F7(void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t12;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				E00417B6C(_t12, __edi, __esi);
				_t8 = E00418908(_t12, __edx, __edi, _t21);
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				E004179BA( *((intOrPtr*)(_t8 + 0x54))( *((intOrPtr*)(_t8 + 0x58)), 0x42a4b0, 0xc)); // executed
				 *((intOrPtr*)(_t20 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				return E0041B09E(_t12,  *(_t20 - 4),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14)))))),  *((intOrPtr*)(_t20 - 0x14)));
			}







                                                            0x004179f7
                                                            0x004179fe
                                                            0x00417a03
                                                            0x00417a08
                                                            0x00417a13
                                                            0x00417a1f
                                                            0x00417a2b

                                                            APIs
                                                            • __getptd.LIBCMT ref: 00417A03
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                              • Part of subcall function 004179BA: __IsNonwritableInCurrentImage.LIBCMT ref: 004179CD
                                                              • Part of subcall function 004179BA: __getptd_noexit.LIBCMT ref: 004179DD
                                                              • Part of subcall function 004179BA: __freeptd.LIBCMT ref: 004179E7
                                                              • Part of subcall function 004179BA: ExitThread.KERNEL32 ref: 004179F0
                                                            • __XcptFilter.LIBCMT ref: 00417A24
                                                              • Part of subcall function 0041B09E: __getptd_noexit.LIBCMT ref: 0041B0A6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
                                                            • String ID:
                                                            • API String ID: 393088965-0
                                                            • Opcode ID: 6215b15f5c09947322d8b88f687601d361d4533a62d598d40856043c2456a924
                                                            • Instruction ID: 73bea7e35d643c5b26081d1ecd72eb0c33755df2b749e5cd7e68a975cd858d27
                                                            • Opcode Fuzzy Hash: 6215b15f5c09947322d8b88f687601d361d4533a62d598d40856043c2456a924
                                                            • Instruction Fuzzy Hash: E7E0ECB1E146049FE718BBA1CD46FBE7775EF44309F21404EF1016B2A2CB7DAD849A29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408BD0, Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00408BD0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v5;
				void* _t6;
				void* _t13;

				_t6 = E00417414(__ebx, _t13, __edi, _a4); // executed
				if(_t6 == 0) {
					asm("stosb");
					return E004166E0( &_v5, 0x429378);
				}
				return _t6;
			}






                                                            0x00408bd7
                                                            0x00408bdf
                                                            0x00408be4
                                                            0x00000000
                                                            0x00408bf4
                                                            0x00408bfa

                                                            APIs
                                                            • _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00417414: __FF_MSGBANNER.LIBCMT ref: 00417437
                                                              • Part of subcall function 00417414: __NMSG_WRITE.LIBCMT ref: 0041743E
                                                              • Part of subcall function 00417414: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C,00419EC2), ref: 0041748B
                                                            • __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                              • Part of subcall function 004166E0: RaiseException.KERNEL32(?,?,?,00000001), ref: 00416722
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_malloc
                                                            • String ID:
                                                            • API String ID: 2732643326-0
                                                            • Opcode ID: d4306bca08c0742015f8dd9fb624f9e6256735586e9571db0372f55418b293d0
                                                            • Instruction ID: 04aa4d66bcb8eae7d744240562f1434118ced274b530ac757c2cc185b7e384fe
                                                            • Opcode Fuzzy Hash: d4306bca08c0742015f8dd9fb624f9e6256735586e9571db0372f55418b293d0
                                                            • Instruction Fuzzy Hash: A0D05E3490834979CF01EBA5D802AEE7F7C4945298B4004EAE84062243DA7AE64F9668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041AA52, Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041AA52(int _a4) {

				E0041AA27(_a4);
				ExitProcess(_a4);
			}



                                                            0x0041aa5a
                                                            0x0041aa63

                                                            APIs
                                                            • ___crtCorExitProcess.LIBCMT ref: 0041AA5A
                                                              • Part of subcall function 0041AA27: GetModuleHandleW.KERNEL32(mscoree.dll,?,0041AA5F,?,?,0041744D,000000FF,0000001E,?,0041ADD9,?,00000001,?,?,00419E31,00000018), ref: 0041AA31
                                                              • Part of subcall function 0041AA27: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041AA41
                                                            • ExitProcess.KERNEL32 ref: 0041AA63
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                            • String ID:
                                                            • API String ID: 2427264223-0
                                                            • Opcode ID: cdf78dcfc99b7c62e93538ae0455f7e7501f9fd1b3385d9253a2e476e9fb477e
                                                            • Instruction ID: 4374e543243410c85885a680b655107df52ba2b40df2f57ce153712b46731692
                                                            • Opcode Fuzzy Hash: cdf78dcfc99b7c62e93538ae0455f7e7501f9fd1b3385d9253a2e476e9fb477e
                                                            • Instruction Fuzzy Hash: EEB09231100148BBCB112F12DC0A8993F2AEF817A6B508026F91809031DF76EEB2DA99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C166, Relevance: 1.9, APIs: 1, Instructions: 363COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E0040C166(void* __ebx, intOrPtr __ecx, signed int __edi, void* __esi, void* __eflags) {
				void* __ebp;
				void* _t164;
				signed int _t168;
				signed int _t170;
				intOrPtr* _t173;
				signed int _t174;
				intOrPtr* _t176;
				intOrPtr* _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t183;
				signed int _t184;
				signed int _t188;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t198;
				signed int _t200;
				signed int _t202;
				signed int _t203;
				signed int _t207;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t235;
				intOrPtr _t243;
				signed int _t245;
				intOrPtr* _t246;
				signed int _t248;
				void* _t253;
				signed int _t300;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed int _t307;
				intOrPtr* _t308;

				_t300 = __edi;
				_push(0x78);
				_t164 = E00416B21(E00421AC5, __ebx, __edi, __esi);
				_t243 = __ecx;
				 *((intOrPtr*)(_t308 + 0x18)) = __ecx;
				E0040B772(_t164, __ecx);
				if( *((intOrPtr*)( *((intOrPtr*)(_t308 + 0x38)) + 8)) < 0x20) {
					while(1) {
						_t304 =  *((intOrPtr*)(_t308 + 0x38));
						_t168 =  *(_t304 + 8);
						_t248 =  *(_t243 + 8);
						_t300 = _t300 | 0xffffffff;
						__eflags = _t168 - 1;
						 *(_t308 + 0x14) = _t300;
						if(_t168 < 1) {
							goto L6;
						}
						L4:
						__eflags = _t248 - _t168;
						if(_t248 >= _t168) {
							L53:
							__eflags =  *(_t243 + 8);
							 *((char*)(_t243 + 0x30)) = _t168 & 0xffffff00 |  *(_t243 + 8) != 0x00000000;
							_t170 = 0;
							__eflags = 0;
							goto L54;
						} else {
							 *(_t308 + 0x14) =  *(_t304 + (_t168 - _t248) * 4 - 4);
							L7:
							__eflags = _t248;
							if(__eflags != 0) {
								_t306 =  *((intOrPtr*)( *((intOrPtr*)(_t243 + 0xc)) + _t248 * 4 - 4));
								 *((short*)(_t308 + 4)) = 0;
								 *((short*)(_t308 + 6)) = 0;
								_t173 =  *_t306;
								 *(_t308 - 4) = 1;
								_t174 =  *((intOrPtr*)( *_t173 + 0x20))(_t173, 1, _t308 + 4);
								__eflags = _t174;
								if(_t174 != 0) {
									L36:
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									_t307 = _t174;
									E00409A4A(_t308 + 4);
									L35:
									_t170 = _t307;
									goto L54;
								}
								__eflags =  *((short*)(_t308 + 4)) - 0x13;
								if( *((short*)(_t308 + 4)) != 0x13) {
									_t160 = _t308 - 4;
									 *_t160 =  *(_t308 - 4) | 0xffffffff;
									__eflags =  *_t160;
									_t253 = _t308 + 4;
									L75:
									_t168 = E00409A4A(_t253);
									goto L53;
								}
								_t176 =  *_t306;
								_t300 =  *(_t308 + 0xc);
								_t174 =  *((intOrPtr*)( *_t176 + 0x14))(_t176, _t308);
								__eflags = _t174;
								if(_t174 != 0) {
									goto L36;
								}
								 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
								_t253 = _t308 + 4;
								__eflags = _t300 -  *_t308;
								if(_t300 >=  *_t308) {
									goto L75;
								}
								E00409A4A(_t253);
								 *(_t308 + 0x28) =  *(_t308 + 0x28) & 0x00000000;
								_t178 =  *_t306;
								 *(_t308 - 4) = 2;
								_t179 =  *((intOrPtr*)( *_t178))(_t178, 0x424104, _t308 + 0x28);
								__eflags = _t179;
								_t168 =  *(_t308 + 0x28);
								if(_t179 != 0) {
									L72:
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t168;
									if(_t168 != 0) {
										_t168 =  *((intOrPtr*)( *_t168 + 8))(_t168);
									}
									goto L53;
								}
								__eflags = _t168;
								if(_t168 == 0) {
									goto L72;
								}
								 *(_t308 + 0x20) =  *(_t308 + 0x20) & 0x00000000;
								 *(_t308 - 4) = 3;
								_t180 =  *((intOrPtr*)( *_t168 + 0xc))(_t168, _t300, _t308 + 0x20);
								__eflags = _t180;
								_t181 =  *(_t308 + 0x20);
								if(_t180 != 0) {
									L68:
									__eflags = _t181;
									L69:
									 *(_t308 - 4) = 2;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t181 + 8))(_t181);
									}
									_t168 =  *(_t308 + 0x28);
									goto L72;
								}
								__eflags = _t181;
								if(__eflags == 0) {
									goto L69;
								}
								 *(_t308 + 0x24) =  *(_t308 + 0x24) & 0x00000000;
								_t299 = _t308 + 0x24;
								 *(_t308 - 4) = 4;
								_t183 =  *((intOrPtr*)( *_t181))(_t181, 0x424004, _t308 + 0x24);
								__eflags = _t183;
								_t184 =  *(_t308 + 0x24);
								if(_t183 != 0) {
									L65:
									 *(_t308 - 4) = 3;
									__eflags = _t184;
									if(_t184 != 0) {
										 *((intOrPtr*)( *_t184 + 8))(_t184);
									}
									_t181 =  *(_t308 + 0x20);
									goto L68;
								}
								__eflags = _t184;
								if(__eflags == 0) {
									goto L65;
								}
								E0040B9D7(_t243, _t308 - 0x48, _t300, _t306, __eflags);
								_push(_t308 - 0x44);
								_push(_t300);
								 *(_t308 - 4) = 5;
								_t188 = E0040BA1B(_t243, _t306, _t300, _t306, __eflags);
								_t245 = _t188;
								__eflags = _t245;
								if(__eflags != 0) {
									L37:
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t190 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t190;
									if(_t190 != 0) {
										 *((intOrPtr*)( *_t190 + 8))(_t190);
									}
									_t191 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t191;
									if(_t191 != 0) {
										 *((intOrPtr*)( *_t191 + 8))(_t191);
									}
									_t192 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t192;
									if(_t192 != 0) {
										 *((intOrPtr*)( *_t192 + 8))(_t192);
									}
									_t170 = _t245;
									goto L54;
								}
								 *(_t308 + 0x1c) =  *(_t308 + 0x1c) & _t188;
								_t246 =  *((intOrPtr*)(_t308 + 0x48));
								 *(_t308 - 4) = 6;
								 *((intOrPtr*)( *_t246))(_t246, 0x424114, _t308 + 0x1c);
								_t198 =  *(_t308 + 0x1c);
								__eflags = _t198;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t198 + 0xc))(_t198,  *((intOrPtr*)(_t308 - 0x44)));
								}
								 *(_t308 - 0x28) = _t300;
								_t245 = E0040BD49(_t246, _t308 - 0x48, _t299, _t300, _t306, __eflags,  *((intOrPtr*)(_t308 + 0x34)),  *(_t308 + 0x14),  *(_t308 + 0x24), 0, _t246);
								__eflags = _t245 - 1;
								if(_t245 == 1) {
									_t200 =  *(_t308 + 0x1c);
									 *(_t308 - 4) = 5;
									__eflags = _t200;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t200 + 8))(_t200);
									}
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t202 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t202;
									if(_t202 != 0) {
										 *((intOrPtr*)( *_t202 + 8))(_t202);
									}
									_t203 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t203;
									if(_t203 != 0) {
										 *((intOrPtr*)( *_t203 + 8))(_t203);
									}
									_t168 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t168;
									if(_t168 != 0) {
										_t168 =  *((intOrPtr*)( *_t168 + 8))(_t168);
									}
									_t243 =  *((intOrPtr*)(_t308 + 0x18));
									goto L53;
								} else {
									__eflags = _t245;
									if(__eflags != 0) {
										_t207 =  *(_t308 + 0x1c);
										 *(_t308 - 4) = 5;
										__eflags = _t207;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t207 + 8))(_t207);
										}
										goto L37;
									}
									_t307 = E0040B7A3(_t245, _t306, _t300, _t306, __eflags, _t300, _t308 - 0x24, _t308 - 0x1c);
									__eflags = _t307;
									if(__eflags != 0) {
										_t212 =  *(_t308 + 0x1c);
										 *(_t308 - 4) = 5;
										__eflags = _t212;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t212 + 8))(_t212);
										}
										 *(_t308 - 4) = 4;
										E0040B864(_t308 - 0x48, __eflags);
										_t214 =  *(_t308 + 0x24);
										 *(_t308 - 4) = 3;
										__eflags = _t214;
										if(_t214 != 0) {
											 *((intOrPtr*)( *_t214 + 8))(_t214);
										}
										_t215 =  *(_t308 + 0x20);
										 *(_t308 - 4) = 2;
										__eflags = _t215;
										if(_t215 != 0) {
											 *((intOrPtr*)( *_t215 + 8))(_t215);
										}
										_t216 =  *(_t308 + 0x28);
										 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
										__eflags = _t216;
										if(_t216 != 0) {
											 *((intOrPtr*)( *_t216 + 8))(_t216);
										}
										goto L35;
									}
									_push(_t308 - 0x48);
									E0040BB33(_t245,  *((intOrPtr*)(_t308 + 0x18)), _t300, _t307, __eflags);
									_t223 =  *(_t308 + 0x1c);
									 *(_t308 - 4) = 5;
									__eflags = _t223;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t223 + 8))(_t223);
									}
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t225 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t225;
									if(_t225 != 0) {
										 *((intOrPtr*)( *_t225 + 8))(_t225);
									}
									_t226 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t226;
									if(_t226 != 0) {
										 *((intOrPtr*)( *_t226 + 8))(_t226);
									}
									_t227 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t227;
									if(_t227 != 0) {
										 *((intOrPtr*)( *_t227 + 8))(_t227);
									}
									_t243 =  *((intOrPtr*)(_t308 + 0x18));
									while(1) {
										_t304 =  *((intOrPtr*)(_t308 + 0x38));
										_t168 =  *(_t304 + 8);
										_t248 =  *(_t243 + 8);
										_t300 = _t300 | 0xffffffff;
										__eflags = _t168 - 1;
										 *(_t308 + 0x14) = _t300;
										if(_t168 < 1) {
											goto L6;
										}
										goto L4;
									}
								}
							}
							E0040B9D7(_t243, _t308 - 0x84, _t300, _t304, __eflags);
							 *(_t308 - 4) =  *(_t308 - 4) & 0x00000000;
							E00408639(_t308 - 0x80, _t308,  *((intOrPtr*)(_t308 + 0x44)));
							 *(_t308 - 0x64) = _t300;
							_t235 = E0040C093(_t243, _t308 - 0x84, 1, _t300, _t304, __eflags,  *((intOrPtr*)(_t308 + 0x34)),  *(_t308 + 0x14),  *((intOrPtr*)(_t308 + 0x3c)),  *((intOrPtr*)(_t308 + 0x40)),  *((intOrPtr*)(_t308 + 0x48))); // executed
							_t307 = _t235;
							__eflags = _t307;
							if(__eflags != 0) {
								 *(_t308 - 4) = _t300;
								E0040B864(_t308 - 0x84, __eflags);
								goto L35;
							}
							_push(_t308 - 0x84);
							E0040BB33(_t243, _t243, _t300, _t307, __eflags);
							 *(_t308 - 4) = _t300;
							E0040B864(_t308 - 0x84, __eflags);
							continue;
						}
						L6:
						__eflags = _t248 - 0x20;
						if(_t248 >= 0x20) {
							goto L53;
						}
						goto L7;
					}
				} else {
					_t170 = 0x80004001;
					L54:
					 *[fs:0x0] =  *((intOrPtr*)(_t308 - 0xc));
					return _t170;
				}
			}












































                                                            0x0040c166
                                                            0x0040c16a
                                                            0x0040c171
                                                            0x0040c176
                                                            0x0040c178
                                                            0x0040c17b
                                                            0x0040c189
                                                            0x0040c198
                                                            0x0040c198
                                                            0x0040c19b
                                                            0x0040c19e
                                                            0x0040c1a3
                                                            0x0040c1a7
                                                            0x0040c1a9
                                                            0x0040c1ac
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c1ae
                                                            0x0040c1ae
                                                            0x0040c1b0
                                                            0x0040c4be
                                                            0x0040c4be
                                                            0x0040c4c5
                                                            0x0040c4c8
                                                            0x0040c4c8
                                                            0x00000000
                                                            0x0040c1b6
                                                            0x0040c1bf
                                                            0x0040c1cd
                                                            0x0040c1cd
                                                            0x0040c1cf
                                                            0x0040c236
                                                            0x0040c23c
                                                            0x0040c240
                                                            0x0040c244
                                                            0x0040c24e
                                                            0x0040c251
                                                            0x0040c254
                                                            0x0040c256
                                                            0x0040c418
                                                            0x0040c418
                                                            0x0040c41f
                                                            0x0040c421
                                                            0x0040c411
                                                            0x0040c411
                                                            0x00000000
                                                            0x0040c411
                                                            0x0040c25c
                                                            0x0040c261
                                                            0x0040c58b
                                                            0x0040c58b
                                                            0x0040c58b
                                                            0x0040c58f
                                                            0x0040c592
                                                            0x0040c592
                                                            0x00000000
                                                            0x0040c592
                                                            0x0040c267
                                                            0x0040c26b
                                                            0x0040c273
                                                            0x0040c276
                                                            0x0040c278
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c27e
                                                            0x0040c282
                                                            0x0040c285
                                                            0x0040c288
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c28e
                                                            0x0040c293
                                                            0x0040c297
                                                            0x0040c2a5
                                                            0x0040c2ac
                                                            0x0040c2ae
                                                            0x0040c2b0
                                                            0x0040c2b3
                                                            0x0040c574
                                                            0x0040c574
                                                            0x0040c578
                                                            0x0040c57a
                                                            0x0040c583
                                                            0x0040c583
                                                            0x00000000
                                                            0x0040c57a
                                                            0x0040c2b9
                                                            0x0040c2bb
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c2c1
                                                            0x0040c2cd
                                                            0x0040c2d1
                                                            0x0040c2d4
                                                            0x0040c2d6
                                                            0x0040c2d9
                                                            0x0040c563
                                                            0x0040c563
                                                            0x0040c565
                                                            0x0040c565
                                                            0x0040c569
                                                            0x0040c56e
                                                            0x0040c56e
                                                            0x0040c571
                                                            0x00000000
                                                            0x0040c571
                                                            0x0040c2df
                                                            0x0040c2e1
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c2e7
                                                            0x0040c2ed
                                                            0x0040c2f7
                                                            0x0040c2fb
                                                            0x0040c2fd
                                                            0x0040c2ff
                                                            0x0040c302
                                                            0x0040c552
                                                            0x0040c552
                                                            0x0040c556
                                                            0x0040c558
                                                            0x0040c55d
                                                            0x0040c55d
                                                            0x0040c560
                                                            0x00000000
                                                            0x0040c560
                                                            0x0040c308
                                                            0x0040c30a
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c313
                                                            0x0040c31b
                                                            0x0040c31c
                                                            0x0040c31f
                                                            0x0040c323
                                                            0x0040c328
                                                            0x0040c32a
                                                            0x0040c32c
                                                            0x0040c428
                                                            0x0040c42b
                                                            0x0040c42f
                                                            0x0040c434
                                                            0x0040c437
                                                            0x0040c43b
                                                            0x0040c43d
                                                            0x0040c442
                                                            0x0040c442
                                                            0x0040c445
                                                            0x0040c448
                                                            0x0040c44c
                                                            0x0040c44e
                                                            0x0040c453
                                                            0x0040c453
                                                            0x0040c456
                                                            0x0040c459
                                                            0x0040c45d
                                                            0x0040c45f
                                                            0x0040c464
                                                            0x0040c464
                                                            0x0040c467
                                                            0x00000000
                                                            0x0040c467
                                                            0x0040c332
                                                            0x0040c335
                                                            0x0040c344
                                                            0x0040c348
                                                            0x0040c34a
                                                            0x0040c34d
                                                            0x0040c34f
                                                            0x0040c357
                                                            0x0040c357
                                                            0x0040c366
                                                            0x0040c371
                                                            0x0040c373
                                                            0x0040c376
                                                            0x0040c46b
                                                            0x0040c46e
                                                            0x0040c472
                                                            0x0040c474
                                                            0x0040c479
                                                            0x0040c479
                                                            0x0040c47f
                                                            0x0040c483
                                                            0x0040c488
                                                            0x0040c48b
                                                            0x0040c48f
                                                            0x0040c491
                                                            0x0040c496
                                                            0x0040c496
                                                            0x0040c499
                                                            0x0040c49c
                                                            0x0040c4a0
                                                            0x0040c4a2
                                                            0x0040c4a7
                                                            0x0040c4a7
                                                            0x0040c4aa
                                                            0x0040c4ad
                                                            0x0040c4b1
                                                            0x0040c4b3
                                                            0x0040c4b8
                                                            0x0040c4b8
                                                            0x0040c4bb
                                                            0x00000000
                                                            0x0040c37c
                                                            0x0040c37c
                                                            0x0040c37e
                                                            0x0040c4df
                                                            0x0040c4e2
                                                            0x0040c4e6
                                                            0x0040c4e8
                                                            0x0040c4f1
                                                            0x0040c4f1
                                                            0x00000000
                                                            0x0040c4e8
                                                            0x0040c394
                                                            0x0040c396
                                                            0x0040c398
                                                            0x0040c4f9
                                                            0x0040c4fc
                                                            0x0040c500
                                                            0x0040c502
                                                            0x0040c507
                                                            0x0040c507
                                                            0x0040c50d
                                                            0x0040c511
                                                            0x0040c516
                                                            0x0040c519
                                                            0x0040c51d
                                                            0x0040c51f
                                                            0x0040c524
                                                            0x0040c524
                                                            0x0040c527
                                                            0x0040c52a
                                                            0x0040c52e
                                                            0x0040c530
                                                            0x0040c535
                                                            0x0040c535
                                                            0x0040c538
                                                            0x0040c53b
                                                            0x0040c53f
                                                            0x0040c541
                                                            0x0040c54a
                                                            0x0040c54a
                                                            0x00000000
                                                            0x0040c541
                                                            0x0040c3a4
                                                            0x0040c3a5
                                                            0x0040c3aa
                                                            0x0040c3ad
                                                            0x0040c3b1
                                                            0x0040c3b3
                                                            0x0040c3b8
                                                            0x0040c3b8
                                                            0x0040c3be
                                                            0x0040c3c2
                                                            0x0040c3c7
                                                            0x0040c3ca
                                                            0x0040c3ce
                                                            0x0040c3d0
                                                            0x0040c3d5
                                                            0x0040c3d5
                                                            0x0040c3d8
                                                            0x0040c3db
                                                            0x0040c3df
                                                            0x0040c3e1
                                                            0x0040c3e6
                                                            0x0040c3e6
                                                            0x0040c3e9
                                                            0x0040c3ec
                                                            0x0040c3f0
                                                            0x0040c3f2
                                                            0x0040c3fb
                                                            0x0040c3fb
                                                            0x0040c195
                                                            0x0040c198
                                                            0x0040c198
                                                            0x0040c19b
                                                            0x0040c19e
                                                            0x0040c1a3
                                                            0x0040c1a7
                                                            0x0040c1a9
                                                            0x0040c1ac
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c1ac
                                                            0x0040c198
                                                            0x0040c376
                                                            0x0040c1d7
                                                            0x0040c1df
                                                            0x0040c1e6
                                                            0x0040c1f7
                                                            0x0040c203
                                                            0x0040c208
                                                            0x0040c20a
                                                            0x0040c20c
                                                            0x0040c409
                                                            0x0040c40c
                                                            0x00000000
                                                            0x0040c40c
                                                            0x0040c218
                                                            0x0040c21b
                                                            0x0040c226
                                                            0x0040c229
                                                            0x00000000
                                                            0x0040c229
                                                            0x0040c1c4
                                                            0x0040c1c4
                                                            0x0040c1c7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040c1c7
                                                            0x0040c18b
                                                            0x0040c18b
                                                            0x0040c4ca
                                                            0x0040c4cd
                                                            0x0040c4dc
                                                            0x0040c4dc

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID:
                                                            • API String ID: 431132790-0
                                                            • Opcode ID: a745c68587d3e0408f990b5190218730a2044fcf4f7c6a4de919d18e6539e845
                                                            • Instruction ID: 9fa23c60ed07d988f1f076026fc7253265bc66fd5dd24872ef19871adf6ac9e0
                                                            • Opcode Fuzzy Hash: a745c68587d3e0408f990b5190218730a2044fcf4f7c6a4de919d18e6539e845
                                                            • Instruction Fuzzy Hash: 9FE16F30600249DFDF04DFA5C994AAE7BB8AF49318F1482A9E845EB3D1D738DE01DB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407148, Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 99%
                                                            			E00407148(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				intOrPtr _t105;
				void* _t108;
				unsigned int _t110;
				signed int _t112;
				intOrPtr _t126;
				void* _t146;
				intOrPtr _t158;
				signed int _t163;
				unsigned int _t166;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				void* _t177;

				_t158 = __edx;
				_push(0x10);
				E00416B21(E00421509, __ebx, __edi, __esi);
				_t126 = __ecx;
				if( *((intOrPtr*)(_t177 + 0x10)) != 4 ||  *((intOrPtr*)(_t177 + 0x1c)) != 1) {
					_t78 = 0x80070057;
				} else {
					if(E0040A8CF(__ecx + 0x10,  *((intOrPtr*)(__ecx + 0x4c8))) != 0) {
						_t81 = E0040A8CF(__ecx + 0x30,  *((intOrPtr*)(__ecx + 0x4cc)));
						__eflags = _t81;
						if(_t81 == 0) {
							goto L3;
						} else {
							_t82 = E0040A8CF(__ecx + 0x50,  *((intOrPtr*)(__ecx + 0x4d0)));
							__eflags = _t82;
							if(_t82 == 0) {
								goto L3;
							} else {
								_t160 = __ecx + 0x70;
								_t84 = E0040A8CF(__ecx + 0x70,  *((intOrPtr*)(__ecx + 0x4d4)));
								__eflags = _t84;
								if(_t84 == 0) {
									goto L3;
								} else {
									_t85 = E0040AB0A(__ecx + 0x4a0,  *((intOrPtr*)(__ecx + 0x4d8)));
									__eflags = _t85;
									if(_t85 == 0) {
										goto L3;
									} else {
										 *((intOrPtr*)(_t177 - 0x14)) = __ecx;
										_t169 =  *(_t177 + 8);
										 *(_t177 - 4) =  *(_t177 - 4) & 0x00000000;
										E0040A90A(__ecx + 0x10,  *( *(_t177 + 8)));
										E0040A90A(__ecx + 0x30,  *( *(_t177 + 8) + 4));
										E0040A90A(__ecx + 0x50,  *((intOrPtr*)( *(_t177 + 8) + 8)));
										E0040A90A(_t160,  *((intOrPtr*)(_t169 + 0xc)));
										E0040AB43(__ecx + 0x4a0,  *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x14)))));
										E0040A8A8(__ecx + 0x10);
										E0040A8A8(__ecx + 0x30);
										E0040A8A8(__ecx + 0x50);
										E00406F37(_t160, __eflags);
										E0040AAC9(__ecx + 0x4a0);
										_t28 = _t177 + 8;
										 *_t28 =  *(_t177 + 8) & 0x00000000;
										__eflags =  *_t28;
										memset(__ecx + 0x98, 0x400, 0x102 << 2);
										 *((char*)(_t177 + 0x14)) = 0;
										while(1) {
											L9:
											__eflags =  *(_t177 + 8) - 0x100000;
											if( *(_t177 + 8) < 0x100000) {
												goto L13;
											}
											L10:
											_t173 =  *(_t177 + 0x20);
											__eflags = _t173;
											if(_t173 == 0) {
												goto L13;
											} else {
												_t105 = E0040AAE1(_t126 + 0x4a0);
												 *((intOrPtr*)(_t177 - 0x1c)) = _t105;
												 *((intOrPtr*)(_t177 - 0x18)) = _t158;
												_t101 =  *((intOrPtr*)( *_t173 + 0xc))(_t173, 0, _t177 - 0x1c);
												__eflags = _t101;
												if(_t101 != 0) {
													L26:
													_t172 = _t101;
												} else {
													_t40 = _t177 + 8;
													 *_t40 =  *(_t177 + 8) & _t101;
													__eflags =  *_t40;
													goto L13;
												}
											}
											L27:
											 *(_t177 - 4) =  *(_t177 - 4) | 0xffffffff;
											E0040710D(_t126);
											_t78 = _t172;
											goto L31;
											L13:
											 *((char*)(_t177 + 0x1c)) = 0;
											_t171 = 0;
											__eflags = 0;
											while(1) {
												_t100 = E00406EF1(_t126 + 0x10, _t177 + 0x1c);
												_t146 = _t126 + 0x4a0;
												__eflags = _t100;
												if(_t100 == 0) {
													break;
												}
												E00406F16(_t126, _t146,  *((intOrPtr*)(_t177 + 0x1c)));
												_t104 = E00406F8F( *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t177 + 0x1c)));
												__eflags = _t104;
												if(_t104 != 0) {
													L17:
													 *(_t177 + 8) =  *(_t177 + 8) + _t171;
													__eflags = _t171 - 0x40000;
													if(_t171 == 0x40000) {
														L9:
														__eflags =  *(_t177 + 8) - 0x100000;
														if( *(_t177 + 8) < 0x100000) {
															goto L13;
														}
													} else {
														L18:
														_t108 = E00406FFF(_t126 + 0x98 + E00406FB4( *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t177 + 0x1c))) * 4, _t126 + 0x70);
														__eflags = _t108 - 1;
														if(_t108 != 1) {
															 *((char*)(_t177 + 0x14)) =  *((intOrPtr*)(_t177 + 0x1c));
															do {
																goto L9;
															} while (_t171 == 0x40000);
															goto L18;
														} else {
															_t163 = 0;
															__eflags =  *((char*)(_t177 + 0x1c)) - 0xe8;
															_t110 = _t126 + 0x30;
															if( *((char*)(_t177 + 0x1c)) != 0xe8) {
																_t110 = _t126 + 0x50;
															}
															 *(_t177 - 0x10) = _t110;
															_t174 = 0;
															__eflags = 0;
															while(1) {
																_t112 = E00406EF1( *(_t177 - 0x10), _t177 + 0x13);
																__eflags = _t112;
																if(_t112 == 0) {
																	break;
																}
																_t163 = _t163 << 0x00000008 |  *(_t177 + 0x13) & 0x000000ff;
																_t174 = _t174 + 1;
																__eflags = _t174 - 4;
																if(_t174 < 4) {
																	continue;
																} else {
																	_t176 = _t126 + 0x4a0;
																	_t166 = _t163 - E0040AAE1(_t126 + 0x4a0) - 4;
																	E00406F16(_t126, _t126 + 0x4a0, _t166);
																	E00406F16(_t126, _t126 + 0x4a0, _t166 >> 8);
																	E00406F16(_t126, _t176, _t166 >> 0x10);
																	 *(_t177 - 0x10) = _t166 >> 0x18;
																	E00406F16(_t126, _t176, _t166 >> 0x18);
																	 *(_t177 + 8) =  *(_t177 + 8) + 4;
																	 *((char*)(_t177 + 0x14)) =  *(_t177 - 0x10);
																	while(1) {
																		L9:
																		__eflags =  *(_t177 + 8) - 0x100000;
																		if( *(_t177 + 8) < 0x100000) {
																			goto L13;
																		}
																		goto L10;
																	}
																}
																goto L27;
															}
															_t172 = 1;
														}
													}
												} else {
													_t171 = _t171 + 1;
													 *((char*)(_t177 + 0x14)) =  *((intOrPtr*)(_t177 + 0x1c));
													__eflags = _t171 - 0x40000;
													if(_t171 < 0x40000) {
														continue;
													} else {
														goto L17;
													}
												}
												goto L27;
											}
											_t101 = E0040ABDB(_t146);
											goto L26;
										}
									}
								}
							}
						}
					} else {
						L3:
						_t78 = 0x8007000e;
					}
				}
				L31:
				return E00416BF9(_t78);
			}

























                                                            0x00407148
                                                            0x00407148
                                                            0x0040714f
                                                            0x00407154
                                                            0x0040715a
                                                            0x004073ba
                                                            0x0040716a
                                                            0x0040717a
                                                            0x0040718f
                                                            0x00407194
                                                            0x00407196
                                                            0x00000000
                                                            0x00407198
                                                            0x004071a1
                                                            0x004071a6
                                                            0x004071a8
                                                            0x00000000
                                                            0x004071aa
                                                            0x004071b0
                                                            0x004071b6
                                                            0x004071bb
                                                            0x004071bd
                                                            0x00000000
                                                            0x004071bf
                                                            0x004071cb
                                                            0x004071d0
                                                            0x004071d2
                                                            0x00000000
                                                            0x004071d4
                                                            0x004071d4
                                                            0x004071d7
                                                            0x004071dc
                                                            0x004071e3
                                                            0x004071ee
                                                            0x004071f9
                                                            0x00407203
                                                            0x00407215
                                                            0x0040721d
                                                            0x00407225
                                                            0x0040722d
                                                            0x00407234
                                                            0x0040723b
                                                            0x00407240
                                                            0x00407240
                                                            0x00407240
                                                            0x00407254
                                                            0x00407256
                                                            0x0040725a
                                                            0x0040725a
                                                            0x0040725a
                                                            0x00407261
                                                            0x00000000
                                                            0x00000000
                                                            0x00407263
                                                            0x00407263
                                                            0x00407266
                                                            0x00407268
                                                            0x00000000
                                                            0x0040726a
                                                            0x00407270
                                                            0x0040727b
                                                            0x00407281
                                                            0x00407284
                                                            0x00407287
                                                            0x00407289
                                                            0x0040739d
                                                            0x0040739d
                                                            0x0040728f
                                                            0x0040728f
                                                            0x0040728f
                                                            0x0040728f
                                                            0x00000000
                                                            0x0040728f
                                                            0x00407289
                                                            0x0040739f
                                                            0x0040739f
                                                            0x004073a5
                                                            0x004073aa
                                                            0x00000000
                                                            0x00407292
                                                            0x00407292
                                                            0x00407296
                                                            0x00407296
                                                            0x00407298
                                                            0x0040729f
                                                            0x004072a4
                                                            0x004072aa
                                                            0x004072ac
                                                            0x00000000
                                                            0x00000000
                                                            0x004072b5
                                                            0x004072c0
                                                            0x004072c5
                                                            0x004072c7
                                                            0x004072d8
                                                            0x004072d8
                                                            0x004072db
                                                            0x004072e1
                                                            0x0040725a
                                                            0x0040725a
                                                            0x00407261
                                                            0x00000000
                                                            0x00000000
                                                            0x004072e7
                                                            0x004072e7
                                                            0x004072fd
                                                            0x00407302
                                                            0x00407305
                                                            0x00407395
                                                            0x0040725a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040730b
                                                            0x0040730b
                                                            0x0040730d
                                                            0x00407311
                                                            0x00407314
                                                            0x00407316
                                                            0x00407316
                                                            0x00407319
                                                            0x0040731c
                                                            0x0040731c
                                                            0x0040731e
                                                            0x00407325
                                                            0x0040732a
                                                            0x0040732c
                                                            0x00000000
                                                            0x00000000
                                                            0x00407339
                                                            0x0040733b
                                                            0x0040733c
                                                            0x0040733f
                                                            0x00000000
                                                            0x00407341
                                                            0x00407341
                                                            0x00407350
                                                            0x00407356
                                                            0x00407363
                                                            0x00407370
                                                            0x0040737b
                                                            0x0040737e
                                                            0x00407386
                                                            0x0040738a
                                                            0x0040725a
                                                            0x0040725a
                                                            0x0040725a
                                                            0x00407261
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00407261
                                                            0x0040725a
                                                            0x00000000
                                                            0x0040733f
                                                            0x004073b7
                                                            0x004073b7
                                                            0x00407305
                                                            0x004072c9
                                                            0x004072cc
                                                            0x004072cd
                                                            0x004072d0
                                                            0x004072d6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004072d6
                                                            0x00000000
                                                            0x004072c7
                                                            0x004073ae
                                                            0x00000000
                                                            0x004073ae
                                                            0x0040725a
                                                            0x004071d2
                                                            0x004071bd
                                                            0x004071a8
                                                            0x0040717c
                                                            0x0040717c
                                                            0x0040717c
                                                            0x0040717c
                                                            0x0040717a
                                                            0x004073bf
                                                            0x004073c4

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID:
                                                            • API String ID: 431132790-0
                                                            • Opcode ID: 094f822e556a98e56eb2db85d0f01294e4a17ea916421102d3e624c15ae0b408
                                                            • Instruction ID: 7191734e02ba6b0490eaad6bba1f0a6d97c017ddc93a550bea6bd24f0e2c9c2a
                                                            • Opcode Fuzzy Hash: 094f822e556a98e56eb2db85d0f01294e4a17ea916421102d3e624c15ae0b408
                                                            • Instruction Fuzzy Hash: 8061C2319002068BCF05EF25C881AAE3765AF50308F04407EFD567B2D3DB3CA926DB9A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004135E5, Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E004135E5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				void* _t74;
				void* _t78;
				void* _t82;
				void* _t86;
				intOrPtr _t93;
				intOrPtr _t110;
				void* _t113;
				void* _t129;
				void* _t131;
				void* _t133;
				intOrPtr _t139;
				void* _t156;
				char* _t158;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr* _t165;
				void* _t170;

				_t170 = __eflags;
				_t160 = __esi;
				_t156 = __edx;
				_push(0x70);
				E00416B21(E0042220A, __ebx, __edi, __esi);
				_t158 =  *((intOrPtr*)(_t165 + 0x30));
				 *_t158 = 0;
				E004134F7(0, _t165 - 0x7c, _t158, __esi, _t170);
				 *(_t165 - 4) = 0;
				_t74 = E0040C825(_t165 - 0x7c, _t165 + 0xc, 0xa);
				 *(_t165 - 4) = 1;
				E00408639(0x43060c, _t165, _t74);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, __esi, _t170);
				_pop(_t129);
				_t78 = E0040C825(_t129, _t165 + 0xc, 0x18);
				 *(_t165 - 4) = 2;
				E00408639(0x430618, _t165, _t78);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, __esi, _t170);
				_pop(_t131);
				_t82 = E0040C825(_t131, _t165 + 0xc, 0x19);
				 *(_t165 - 4) = 3;
				E00408639(0x430624, _t165, _t82);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, _t160, _t170);
				_pop(_t133);
				_t86 = E0040C825(_t133, _t165 + 0xc, 0x1a);
				 *(_t165 - 4) = 4;
				E00408639(0x430630, _t165, _t86);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, _t160, _t170);
				 *((intOrPtr*)(_t165 - 0x7c)) =  *((intOrPtr*)(_t165 + 0x20));
				E00408639(_t165 - 0x78, _t165,  *((intOrPtr*)(_t165 + 0x24)));
				E00408639(_t165 - 0x6c, _t165,  *((intOrPtr*)(_t165 + 0x28)));
				_t139 = E00408BD0(0, _t158, _t170, 0x140);
				 *((intOrPtr*)(_t165 + 0x30)) = _t139;
				 *(_t165 - 4) = 5;
				_t171 = _t139;
				if(_t139 == 0) {
					_t93 = 0;
					__eflags = 0;
				} else {
					_t93 = E0041310D(0, _t139, _t158, _t160, _t171);
				}
				 *(_t165 - 4) = 0;
				 *((intOrPtr*)(_t165 - 0x60)) = _t93;
				E00406200(_t165 - 0x5c, _t93);
				_t161 =  *((intOrPtr*)(_t165 + 0x3c));
				 *((char*)( *((intOrPtr*)(_t165 - 0x60)) + 0x120)) = E00408639( *((intOrPtr*)(_t165 - 0x60)) + 0x124, _t165, _t161) & 0xffffff00 |  *((intOrPtr*)(_t161 + 4)) != 0x00000000;
				 *((char*)( *((intOrPtr*)(_t165 - 0x60)) + 0x139)) =  *((intOrPtr*)(_t165 + 0x40));
				if( *((intOrPtr*)(_t165 + 0x2c)) == 0) {
					E00413320(0, _t165 - 0x7c, _t156, _t158, _t161, __eflags);
					goto L9;
				} else {
					 *((intOrPtr*)(_t165 + 0x40)) = 0;
					 *(_t165 - 4) = 6;
					_t110 = E0040FC50(_t156, _t161, _t165 + 0x40, E004134E9, _t165 - 0x7c); // executed
					_t163 = _t110;
					_t174 = _t163;
					if(_t163 == 0) {
						E0040320A(_t165 + 0xc);
						 *(_t165 - 4) = 7;
						_t113 = E0040C825(_t165 + 0xc, _t165, 0x45);
						 *(_t165 - 4) = 8;
						E00408639(_t165 + 0xc, _t165, _t113);
						_push( *_t165);
						 *(_t165 - 4) = 7;
						L00408BFB(0, _t158, _t163, __eflags);
						E004130B7(0,  *((intOrPtr*)(_t165 - 0x60)), _t158, __eflags, _t165 + 0xc, _t165 + 0x40); // executed
						_push( *((intOrPtr*)(_t165 + 0xc)));
						L00408BFB(0, _t158, _t163, __eflags);
						 *(_t165 - 4) = 0;
						E0040FC1B(_t165 + 0x40);
						L9:
						_t162 =  *((intOrPtr*)(_t165 + 0x34));
						E00408639(_t162, _t165, _t165 - 0x18);
						__eflags =  *((intOrPtr*)(_t162 + 4));
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t165 - 0x60)) + 0x114;
							E00408639(_t162, _t165,  *((intOrPtr*)(_t165 - 0x60)) + 0x114);
						}
						_t163 =  *((intOrPtr*)(_t165 - 0x1c));
						 *_t158 =  *((intOrPtr*)( *((intOrPtr*)(_t165 - 0x60)) + 0x110));
						L6:
						 *(_t165 - 4) =  *(_t165 - 4) | 0xffffffff;
						E0041353C(_t165 - 0x7c, _t163, _t174); // executed
						 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0xc));
						return _t163;
					}
					E0040FC1B(_t165 + 0x40);
					goto L6;
				}
			}






















                                                            0x004135e5
                                                            0x004135e5
                                                            0x004135e5
                                                            0x004135e9
                                                            0x004135f0
                                                            0x004135f5
                                                            0x004135fd
                                                            0x004135ff
                                                            0x0041360a
                                                            0x0041360d
                                                            0x00413618
                                                            0x0041361c
                                                            0x00413621
                                                            0x00413624
                                                            0x00413627
                                                            0x0041362c
                                                            0x00413633
                                                            0x0041363e
                                                            0x00413642
                                                            0x00413647
                                                            0x0041364a
                                                            0x0041364d
                                                            0x00413652
                                                            0x00413659
                                                            0x00413664
                                                            0x00413668
                                                            0x0041366d
                                                            0x00413670
                                                            0x00413673
                                                            0x00413678
                                                            0x0041367f
                                                            0x0041368a
                                                            0x0041368e
                                                            0x00413693
                                                            0x00413696
                                                            0x00413699
                                                            0x004136a8
                                                            0x004136ab
                                                            0x004136b6
                                                            0x004136c6
                                                            0x004136c8
                                                            0x004136cb
                                                            0x004136cf
                                                            0x004136d1
                                                            0x004136da
                                                            0x004136da
                                                            0x004136d3
                                                            0x004136d3
                                                            0x004136d3
                                                            0x004136e0
                                                            0x004136e3
                                                            0x004136e6
                                                            0x004136ee
                                                            0x00413706
                                                            0x00413712
                                                            0x0041371b
                                                            0x004137c7
                                                            0x00000000
                                                            0x00413721
                                                            0x00413721
                                                            0x00413731
                                                            0x00413735
                                                            0x0041373a
                                                            0x0041373c
                                                            0x0041373e
                                                            0x0041376f
                                                            0x0041377a
                                                            0x0041377e
                                                            0x00413787
                                                            0x0041378b
                                                            0x00413790
                                                            0x00413793
                                                            0x00413797
                                                            0x004137a8
                                                            0x004137ad
                                                            0x004137b0
                                                            0x004137ba
                                                            0x004137bd
                                                            0x004137cc
                                                            0x004137cc
                                                            0x004137d5
                                                            0x004137da
                                                            0x004137dd
                                                            0x004137e2
                                                            0x004137ea
                                                            0x004137ea
                                                            0x004137f8
                                                            0x004137fb
                                                            0x00413749
                                                            0x00413749
                                                            0x00413750
                                                            0x0041375a
                                                            0x00413769
                                                            0x00413769
                                                            0x00413744
                                                            0x00000000
                                                            0x00413744

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 004135F0
                                                              • Part of subcall function 004134F7: __EH_prolog3.LIBCMT ref: 004134FE
                                                              • Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
                                                              • Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4
                                                              • Part of subcall function 0041310D: __EH_prolog3.LIBCMT ref: 00413114
                                                              • Part of subcall function 004130B7: ShowWindow.USER32(?,00000001,00000000,?,?,00000000), ref: 00413100
                                                              • Part of subcall function 0040FC1B: FindCloseChangeNotification.KERNELBASE(?,?,00401769,?,?,00401A40,?,?,?), ref: 0040FC27
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$ChangeCloseException@8FindNotificationShowThrowWindow_malloc
                                                            • String ID:
                                                            • API String ID: 3148577082-0
                                                            • Opcode ID: 1cecaef1887d38932e9bad06ee4af9241c213ef7cd2f675f6b92a21c1f164fe3
                                                            • Instruction ID: 32821a47a4495b02cd0ca02b977b7952fd0f103a46899cb1509da0f48fa3398e
                                                            • Opcode Fuzzy Hash: 1cecaef1887d38932e9bad06ee4af9241c213ef7cd2f675f6b92a21c1f164fe3
                                                            • Instruction Fuzzy Hash: 6261C37190028CEFCF01EFA4C856ADD7BB4AF19314F14806FF954A7282DA3C9A09CB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403975, Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E00403975(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t69;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t93;
				intOrPtr _t96;
				char* _t119;
				intOrPtr* _t121;
				void* _t122;

				E00416BC0(E00421040, __ebx, __edi, __esi);
				_t121 =  *((intOrPtr*)(_t122 + 8));
				_t96 =  *((intOrPtr*)(_t122 + 0x14));
				 *((intOrPtr*)(_t122 - 0x70)) =  *((intOrPtr*)(_t122 + 0xc));
				 *((intOrPtr*)(_t122 - 0x74)) =  *((intOrPtr*)(_t122 + 0x10));
				_t118 = 0;
				 *((intOrPtr*)(_t122 - 0x78)) = _t121;
				 *((intOrPtr*)(_t122 - 4)) = 0;
				 *((intOrPtr*)( *_t121 + 0x10))(_t121, 0x78);
				 *((char*)(_t122 - 4)) = 1;
				E0040222C(_t122 - 0x6c, _t96);
				 *((intOrPtr*)(_t122 - 0x68)) = 0;
				 *((char*)(_t122 - 4)) = 3;
				_t124 = _t96;
				if(_t96 != 0) {
					_t93 =  *((intOrPtr*)(_t122 - 0x6c));
					_t116 = _t122 - 0x68;
					 *((intOrPtr*)( *_t93))(_t93, 0x424174, _t122 - 0x68);
				}
				 *((intOrPtr*)(_t122 - 0x64)) = _t118;
				 *((intOrPtr*)(_t122 - 0x5c)) = _t118;
				 *((intOrPtr*)(_t122 - 0x58)) = _t118;
				 *((intOrPtr*)(_t122 - 0x54)) = _t118;
				 *((intOrPtr*)(_t122 - 0x50)) = 4;
				 *((intOrPtr*)(_t122 - 0x60)) = 0x4234bc;
				_push( *((intOrPtr*)(_t122 - 0x74)));
				 *((char*)(_t122 - 4)) = 4;
				_t97 = E0040469F(_t96, _t122 - 0x64, _t122, _t124,  *((intOrPtr*)(_t122 - 0x70)));
				_t125 = _t97 - _t118;
				if(_t97 == _t118) {
					_t119 = _t121 + 0x1e0;
					 *_t119 = 0;
					E0040320A(_t122 - 0x84);
					_push(_t119);
					_push( *((intOrPtr*)(_t122 - 0x68)));
					_t97 = _t121 + 0x10;
					_push(_t121 + 0x10);
					 *((char*)(_t122 - 4)) = 5;
					_t69 = E004060EC(_t122 - 0x64, __eflags); // executed
					_t118 = _t69;
					__eflags = _t69;
					if(__eflags == 0) {
						E0040309E(_t97, _t97, _t116, __eflags);
						E00406200(_t121 + 8,  *((intOrPtr*)(_t122 - 0x70)));
						_push( *((intOrPtr*)(_t122 - 0x84)));
						L00408BFB(_t97, _t118, _t121, __eflags);
						 *((char*)(_t122 - 4)) = 3;
						E004037B0(_t122 - 0x64, _t121, __eflags);
						_t74 =  *((intOrPtr*)(_t122 - 0x68));
						 *((char*)(_t122 - 4)) = 2;
						__eflags = _t74;
						if(_t74 != 0) {
							 *((intOrPtr*)( *_t74 + 8))(_t74);
						}
						_t75 =  *((intOrPtr*)(_t122 - 0x6c));
						 *((char*)(_t122 - 4)) = 1;
						__eflags = _t75;
						if(_t75 != 0) {
							 *((intOrPtr*)( *_t75 + 8))(_t75);
						}
					} else {
						_push( *((intOrPtr*)(_t122 - 0x84)));
						L00408BFB(_t97, _t118, _t121, __eflags);
						 *((char*)(_t122 - 4)) = 3;
						E004037B0(_t122 - 0x64, _t121, __eflags);
						_t82 =  *((intOrPtr*)(_t122 - 0x68));
						 *((char*)(_t122 - 4)) = 2;
						__eflags = _t82;
						if(_t82 != 0) {
							 *((intOrPtr*)( *_t82 + 8))(_t82);
						}
						_t83 =  *((intOrPtr*)(_t122 - 0x6c));
						 *((char*)(_t122 - 4)) = 1;
						__eflags = _t83;
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
					}
				} else {
					 *((char*)(_t122 - 4)) = 3;
					E004037B0(_t122 - 0x64, _t121, _t125);
					_t88 =  *((intOrPtr*)(_t122 - 0x68));
					 *((char*)(_t122 - 4)) = 2;
					if(_t88 != _t118) {
						 *((intOrPtr*)( *_t88 + 8))(_t88);
					}
					_t89 =  *((intOrPtr*)(_t122 - 0x6c));
					 *((char*)(_t122 - 4)) = 1;
					if(_t89 != _t118) {
						 *((intOrPtr*)( *_t89 + 8))(_t89);
					}
				}
				return E00416C1C(_t97, _t118, _t121);
			}















                                                            0x0040397c
                                                            0x00403984
                                                            0x00403987
                                                            0x0040398a
                                                            0x00403990
                                                            0x00403995
                                                            0x00403998
                                                            0x0040399b
                                                            0x0040399e
                                                            0x004039a5
                                                            0x004039a9
                                                            0x004039ae
                                                            0x004039b1
                                                            0x004039b5
                                                            0x004039b7
                                                            0x004039b9
                                                            0x004039be
                                                            0x004039c8
                                                            0x004039c8
                                                            0x004039ca
                                                            0x004039cd
                                                            0x004039d0
                                                            0x004039d3
                                                            0x004039d6
                                                            0x004039dd
                                                            0x004039e4
                                                            0x004039ed
                                                            0x004039f6
                                                            0x004039f8
                                                            0x004039fa
                                                            0x00403a31
                                                            0x00403a3d
                                                            0x00403a40
                                                            0x00403a45
                                                            0x00403a46
                                                            0x00403a49
                                                            0x00403a4c
                                                            0x00403a50
                                                            0x00403a54
                                                            0x00403a59
                                                            0x00403a5b
                                                            0x00403a5d
                                                            0x00403a9f
                                                            0x00403aaa
                                                            0x00403aaf
                                                            0x00403ab5
                                                            0x00403abe
                                                            0x00403ac2
                                                            0x00403ac7
                                                            0x00403aca
                                                            0x00403ace
                                                            0x00403ad0
                                                            0x00403ad5
                                                            0x00403ad5
                                                            0x00403ad8
                                                            0x00403adb
                                                            0x00403adf
                                                            0x00403ae1
                                                            0x00403ae6
                                                            0x00403ae6
                                                            0x00403a5f
                                                            0x00403a5f
                                                            0x00403a65
                                                            0x00403a6e
                                                            0x00403a72
                                                            0x00403a77
                                                            0x00403a7a
                                                            0x00403a7e
                                                            0x00403a80
                                                            0x00403a85
                                                            0x00403a85
                                                            0x00403a88
                                                            0x00403a8b
                                                            0x00403a8f
                                                            0x00403a91
                                                            0x00403a96
                                                            0x00403a96
                                                            0x00403a99
                                                            0x004039fc
                                                            0x004039ff
                                                            0x00403a03
                                                            0x00403a08
                                                            0x00403a0b
                                                            0x00403a11
                                                            0x00403a16
                                                            0x00403a16
                                                            0x00403a19
                                                            0x00403a1c
                                                            0x00403a22
                                                            0x00403a27
                                                            0x00403a27
                                                            0x00403a2a
                                                            0x00403b11

                                                            APIs
                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 0040397C
                                                              • Part of subcall function 004060EC: __EH_prolog3_catch.LIBCMT ref: 004060F3
                                                              • Part of subcall function 004037B0: __EH_prolog3.LIBCMT ref: 004037B7
                                                              • Part of subcall function 004037B0: ~_Task_impl.LIBCPMT ref: 004037C8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3H_prolog3_catchH_prolog3_catch_Task_impl
                                                            • String ID:
                                                            • API String ID: 3316410470-0
                                                            • Opcode ID: e2295fb80c2056a44aec580e3b47a8f3124a2c9b0920453268770037ce4861f1
                                                            • Instruction ID: 0df43bebe7c24eb3054dd4c9a2fea3a8a503b60659171841bb980735a1a66d0f
                                                            • Opcode Fuzzy Hash: e2295fb80c2056a44aec580e3b47a8f3124a2c9b0920453268770037ce4861f1
                                                            • Instruction Fuzzy Hash: FB516D70A00349DFDB01DFE5C548A9DBFB8AF55308F24409EE44ABB382DB799A45CB15
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410C9B, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E00410C9B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t38;
				void* _t42;
				intOrPtr _t47;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t57;
				void* _t75;
				intOrPtr _t76;
				void* _t77;

				_t77 = __eflags;
				_t72 = __edi;
				_t71 = __edx;
				_push(0x60);
				E00416B21(E00421CDA, __ebx, __edi, __esi);
				E0040320A(_t75 - 0x44);
				_t74 =  *((intOrPtr*)(_t75 + 8));
				_push(0x5c);
				_push( *((intOrPtr*)(_t75 + 8)));
				_t57 = 0;
				_push(_t75 - 0x18);
				 *((intOrPtr*)(_t75 - 4)) = 0;
				E00410931(0, __edx, __edi, _t74, _t77);
				_push(0x2a);
				_push(_t75 - 0x18);
				_push(_t75 - 0x24);
				 *((char*)(_t75 - 4)) = 1;
				_push(E00410931(0, __edx, _t72, _t74, _t77));
				 *((char*)(_t75 - 4)) = 2;
				E00410971(0, _t75 - 0x34, _t72, _t74, _t77);
				_push( *((intOrPtr*)(_t75 - 0x24)));
				 *((char*)(_t75 - 4)) = 4;
				L00408BFB(0, _t72, _t74, _t77);
				while(1) {
					_t38 = E004093F7(_t75 - 0x34, _t75, _t75 - 0x6c);
					_t78 = _t38;
					if(_t38 == 0) {
						break;
					}
					_push(_t75 - 0x6c);
					_t76 = _t76 - 0xc;
					 *((intOrPtr*)(_t75 + 8)) = _t76;
					E00404082(_t76, _t75, _t75 - 0x18); // executed
					_t42 = E00410C2B(_t57, _t71, __eflags); // executed
					__eflags = _t42 - _t57;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(_t75 - 0x30)));
						 *((char*)(_t75 - 4)) = 1;
						L00408BFB(_t57, _t72, _t74, __eflags);
						E004091A4(_t75 - 0x34);
						_push( *((intOrPtr*)(_t75 - 0x18)));
						L00408BFB(_t57, _t72, _t74, __eflags);
						_push( *((intOrPtr*)(_t75 - 0x44)));
						L00408BFB(_t57, _t72, _t74, __eflags);
						_t47 = 0;
					} else {
						continue;
					}
					L5:
					return E00416BF9(_t47);
				}
				_push( *((intOrPtr*)(_t75 - 0x30)));
				 *((char*)(_t75 - 4)) = 1;
				L00408BFB(_t57, _t72, _t74, _t78);
				E004091A4(_t75 - 0x34);
				_t52 = E00410A7A(_t57, _t72, _t74, _t78,  *_t74, _t57); // executed
				_t79 = _t52;
				if(_t52 != 0) {
					_t53 = E00410AE4(_t57, _t72, _t74, __eflags,  *_t74); // executed
					_t57 = _t53;
				}
				_push( *((intOrPtr*)(_t75 - 0x18)));
				L00408BFB(_t57, _t72, _t74, _t79);
				_push( *((intOrPtr*)(_t75 - 0x44)));
				L00408BFB(_t57, _t72, _t74, _t79);
				_t47 = _t57;
				goto L5;
			}












                                                            0x00410c9b
                                                            0x00410c9b
                                                            0x00410c9b
                                                            0x00410c9b
                                                            0x00410ca2
                                                            0x00410caa
                                                            0x00410caf
                                                            0x00410cb2
                                                            0x00410cb4
                                                            0x00410cb8
                                                            0x00410cba
                                                            0x00410cbb
                                                            0x00410cbe
                                                            0x00410cc3
                                                            0x00410cc8
                                                            0x00410ccc
                                                            0x00410ccd
                                                            0x00410cd6
                                                            0x00410cda
                                                            0x00410cde
                                                            0x00410ce3
                                                            0x00410ce6
                                                            0x00410cea
                                                            0x00410d10
                                                            0x00410d17
                                                            0x00410d1c
                                                            0x00410d1e
                                                            0x00000000
                                                            0x00000000
                                                            0x00410cf5
                                                            0x00410cf6
                                                            0x00410cfe
                                                            0x00410d02
                                                            0x00410d07
                                                            0x00410d0c
                                                            0x00410d0e
                                                            0x00410d5e
                                                            0x00410d61
                                                            0x00410d65
                                                            0x00410d6e
                                                            0x00410d73
                                                            0x00410d76
                                                            0x00410d7b
                                                            0x00410d7e
                                                            0x00410d85
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00410d56
                                                            0x00410d5b
                                                            0x00410d5b
                                                            0x00410d20
                                                            0x00410d23
                                                            0x00410d27
                                                            0x00410d30
                                                            0x00410d39
                                                            0x00410d3e
                                                            0x00410d40
                                                            0x00410d8b
                                                            0x00410d90
                                                            0x00410d90
                                                            0x00410d42
                                                            0x00410d45
                                                            0x00410d4a
                                                            0x00410d4d
                                                            0x00410d54
                                                            0x00000000

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410CA2
                                                              • Part of subcall function 00410931: __EH_prolog3.LIBCMT ref: 00410938
                                                              • Part of subcall function 00410971: __EH_prolog3.LIBCMT ref: 00410978
                                                              • Part of subcall function 004091A4: FindClose.KERNELBASE ref: 004091AF
                                                              • Part of subcall function 00410AE4: __EH_prolog3.LIBCMT ref: 00410AEB
                                                              • Part of subcall function 00410AE4: RemoveDirectoryW.KERNELBASE(?,0000000C), ref: 00410AF9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$CloseDirectoryFindRemove
                                                            • String ID:
                                                            • API String ID: 1902238476-0
                                                            • Opcode ID: 4fbb5a808f8d1446f06ffaa4c05493f735c7c2265915495fb556f648af173519
                                                            • Instruction ID: a3cc244adccf2e4cac89145f1c327d215d4d92245b22a372655b58a5773b09a4
                                                            • Opcode Fuzzy Hash: 4fbb5a808f8d1446f06ffaa4c05493f735c7c2265915495fb556f648af173519
                                                            • Instruction Fuzzy Hash: E52181B1804108AEDF00FBE5DA52ADE7BB89F14318F10406FF580771D3DEB96AC59A69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411EC8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00411EC8(void* __ecx, void* __edx) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _t25;
				signed int _t27;
				void* _t35;
				signed int _t37;
				void* _t39;

				_t35 = __edx;
				_t39 = __ecx;
				_t36 = __ecx + 0x58;
				if(E00411CFC(__ecx + 0x58) == 0) {
					E00411E99(__ecx);
					E00411D6E(_t36,  &_v20,  &_v12);
					_t37 = _v20;
					_t27 = _v16;
					if(_t37 !=  *((intOrPtr*)(__ecx + 0x40)) || _t27 !=  *((intOrPtr*)(__ecx + 0x44))) {
						E00411DDF(_t39, _t37, _t27);
					}
					E00411E2A(_t39, _v12, _v8); // executed
					if((_t37 | _t27) == 0) {
						_t37 = 1;
						_t27 = 0;
					}
					_t25 = E00417E00(E004176B0(_v12, _v8, 0x64, 0), _t35, _t37, _t27);
					if(_t25 !=  *((intOrPtr*)(_t39 + 0x4c))) {
						 *((intOrPtr*)(_t39 + 0x4c)) = _t25;
					}
				}
				return 1;
			}












                                                            0x00411ec8
                                                            0x00411ecf
                                                            0x00411ed2
                                                            0x00411ede
                                                            0x00411ee3
                                                            0x00411ef2
                                                            0x00411ef7
                                                            0x00411efa
                                                            0x00411f00
                                                            0x00411f0b
                                                            0x00411f0b
                                                            0x00411f18
                                                            0x00411f21
                                                            0x00411f25
                                                            0x00411f26
                                                            0x00411f26
                                                            0x00411f3b
                                                            0x00411f44
                                                            0x00411f46
                                                            0x00411f46
                                                            0x00411f44
                                                            0x00411f4e

                                                            APIs
                                                              • Part of subcall function 00411CFC: EnterCriticalSection.KERNEL32(?,?,?,?,00411EDC), ref: 00411D05
                                                              • Part of subcall function 00411CFC: LeaveCriticalSection.KERNEL32(?,?,?,00411EDC), ref: 00411D0F
                                                              • Part of subcall function 00411E99: PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00411EAE
                                                              • Part of subcall function 00411D6E: EnterCriticalSection.KERNEL32(?,?,?,00411EF7,?,?), ref: 00411D76
                                                              • Part of subcall function 00411D6E: LeaveCriticalSection.KERNEL32(?,?,00411EF7,?,?), ref: 00411D9B
                                                            • __aulldiv.LIBCMT ref: 00411F3B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$MessagePost__aulldiv
                                                            • String ID:
                                                            • API String ID: 3743465594-0
                                                            • Opcode ID: a8577b5923c133be84352f7fc4ff1d46fad0c7c12c13c5344a69fe3690ba1475
                                                            • Instruction ID: 519ab6dd52a514ac1fada1918d288c045c626b422648050e404c23596e31d368
                                                            • Opcode Fuzzy Hash: a8577b5923c133be84352f7fc4ff1d46fad0c7c12c13c5344a69fe3690ba1475
                                                            • Instruction Fuzzy Hash: A8016175700214ABDB21AB968C819FFB7BEAB84714F00045BF642A3661D779BD828668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A912, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0040A912(intOrPtr* __ecx, void* __edi) {
				char _v8;
				char _v12;
				intOrPtr* _t21;
				char _t22;
				intOrPtr _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t39;

				_push(__ecx);
				_push(__ecx);
				_t39 = __ecx;
				if( *((char*)(__ecx + 0x1c)) == 0) {
					_t30 =  *((intOrPtr*)(__ecx + 8));
					asm("cdq");
					 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(__ecx + 0x10)) +  *__ecx - _t30;
					_t21 =  *((intOrPtr*)(__ecx + 0xc));
					asm("adc [esi+0x14], edx");
					_t22 =  *((intOrPtr*)( *_t21 + 0xc))(_t21, _t30,  *((intOrPtr*)(__ecx + 0x18)),  &_v12, __edi);
					if(_t22 != 0) {
						_v8 = _t22;
						E004166E0( &_v8, 0x4295d4);
					}
					_t23 =  *((intOrPtr*)(_t39 + 8));
					_t31 = _v12;
					 *_t39 = _t23;
					_t24 = _t23 + _t31;
					 *(_t39 + 4) = _t24;
					_t25 = _t24 & 0xffffff00 | _t31 == 0x00000000;
					 *(_t39 + 0x1c) = _t25;
					_t26 = 0 | _t25 == 0x00000000;
				} else {
					_t26 = 0;
				}
				return _t26;
			}














                                                            0x0040a915
                                                            0x0040a916
                                                            0x0040a918
                                                            0x0040a91e
                                                            0x0040a924
                                                            0x0040a92c
                                                            0x0040a92d
                                                            0x0040a930
                                                            0x0040a936
                                                            0x0040a941
                                                            0x0040a947
                                                            0x0040a949
                                                            0x0040a955
                                                            0x0040a955
                                                            0x0040a95a
                                                            0x0040a95d
                                                            0x0040a960
                                                            0x0040a962
                                                            0x0040a966
                                                            0x0040a969
                                                            0x0040a973
                                                            0x0040a976
                                                            0x0040a920
                                                            0x0040a920
                                                            0x0040a920
                                                            0x0040a97a

                                                            APIs
                                                            • __CxxThrowException@8.LIBCMT ref: 0040A955
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw
                                                            • String ID:
                                                            • API String ID: 2005118841-0
                                                            • Opcode ID: 9a5bb656170a8548dc9b28687d5c3d08d929b8bddbdff51618608348ab6e88b3
                                                            • Instruction ID: 50af47bc67f8884ff376a5bab392e23a2d223ecb1341b9976338e81d63542ba6
                                                            • Opcode Fuzzy Hash: 9a5bb656170a8548dc9b28687d5c3d08d929b8bddbdff51618608348ab6e88b3
                                                            • Instruction Fuzzy Hash: 520171B1600701AFCB28CF69C80599BBBF8EF453547048A6EA4C6D3651D774F945CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410C2B, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E00410C2B(void* __ebx, void* __edx, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t21;
				void* _t22;
				void* _t28;
				signed char _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t29 = __ebx;
				_push(0x18);
				E00416B21(E00421C9F, __ebx, _t36, _t37);
				_t17 =  *((intOrPtr*)(_t38 + 0x14));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_push(_t17 + 0x28);
				_t32 =  *(_t17 + 0x20) >> 4;
				_push(_t38 + 8);
				_t40 = _t32 & 0x00000001;
				if((_t32 & 0x00000001) == 0) {
					_push(_t38 - 0x24);
					_t21 = E004096A4(__ebx, _t36, _t37, __eflags);
					 *(_t38 - 4) = 2;
					_t22 = E00410BBB(_t29, _t36, _t37, __eflags,  *_t21); // executed
					_push( *((intOrPtr*)(_t38 - 0x24)));
				} else {
					_push(_t38 - 0x18);
					_t28 = E004096A4(__ebx, _t36, _t37, _t40);
					 *(_t38 - 4) = 1;
					_t22 = E00410C9B(_t29, __edx, _t36, _t37, _t40, _t28); // executed
					_push( *((intOrPtr*)(_t38 - 0x18)));
				}
				_t30 = _t22;
				L00408BFB(_t22, _t36, _t37, _t40);
				_push( *((intOrPtr*)(_t38 + 8)));
				L00408BFB(_t30, _t36, _t37, _t40);
				return E00416BF9(_t30);
			}











                                                            0x00410c2b
                                                            0x00410c2b
                                                            0x00410c32
                                                            0x00410c37
                                                            0x00410c3d
                                                            0x00410c44
                                                            0x00410c45
                                                            0x00410c4b
                                                            0x00410c4c
                                                            0x00410c4f
                                                            0x00410c85
                                                            0x00410c86
                                                            0x00410c8d
                                                            0x00410c91
                                                            0x00410c96
                                                            0x00410c51
                                                            0x00410c54
                                                            0x00410c55
                                                            0x00410c5b
                                                            0x00410c5f
                                                            0x00410c64
                                                            0x00410c64
                                                            0x00410c67
                                                            0x00410c69
                                                            0x00410c6f
                                                            0x00410c72
                                                            0x00410c7f

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00410C32
                                                              • Part of subcall function 004096A4: __EH_prolog3.LIBCMT ref: 004096AB
                                                              • Part of subcall function 00410C9B: __EH_prolog3.LIBCMT ref: 00410CA2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID:
                                                            • API String ID: 431132790-0
                                                            • Opcode ID: 59967bbe753e5dc168115a87754a61ade42e6dcece7e8eaa7ca788e826340a8f
                                                            • Instruction ID: 06cb761f1f525b4146118a468f0d354c53039bfffbfcc7a97c900ac5a6a9224e
                                                            • Opcode Fuzzy Hash: 59967bbe753e5dc168115a87754a61ade42e6dcece7e8eaa7ca788e826340a8f
                                                            • Instruction Fuzzy Hash: DCF06D75400108AEDB05EB95C946FDD3BA8AF19308F00045EF540A72A3DABDEAD4AA6C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004130B7, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E004130B7(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				struct HWND__** _t23;
				void* _t24;

				_t25 = __eflags;
				_push(0);
				 *((char*)(__ecx + 0x88)) =  *((intOrPtr*)(__ecx + 0x139));
				E00413069(__ecx + 0x70, _t24, __eflags, _a4, _a8);
				_t11 = E0040C825(__ecx + 0x70,  &_v16, 0x45);
				_t23 = __ecx + 0x74;
				E00411A09(_t23,  *_t11);
				_push(_v16);
				L00408BFB(__ebx, __edi, _t23, _t25);
				ShowWindow( *_t23, 1); // executed
				return 0;
			}









                                                            0x004130b7
                                                            0x004130be
                                                            0x004130d1
                                                            0x004130d7
                                                            0x004130e2
                                                            0x004130e9
                                                            0x004130ee
                                                            0x004130f3
                                                            0x004130f6
                                                            0x00413100
                                                            0x0041310a

                                                            APIs
                                                              • Part of subcall function 00411A09: SetWindowTextW.USER32(?,?), ref: 00411A0F
                                                            • ShowWindow.USER32(?,00000001,00000000,?,?,00000000), ref: 00413100
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Window$ShowText
                                                            • String ID:
                                                            • API String ID: 1551406749-0
                                                            • Opcode ID: 905720b4aa533e3a3a3202855c4c46ae575610bf33439627e65eafeb3e5c2fc5
                                                            • Instruction ID: 35af53d8c1d0c1f4d98bec84655a3a64350064d86e18da663c696bb970858594
                                                            • Opcode Fuzzy Hash: 905720b4aa533e3a3a3202855c4c46ae575610bf33439627e65eafeb3e5c2fc5
                                                            • Instruction Fuzzy Hash: 9CF0E235500204BBCF11BB74DC06EC97FA4AF08314F00442EF999661A2DE75A614D788
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412707, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E00412707(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t31;
				intOrPtr _t33;
				void* _t34;

				_t22 = __ebx;
				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				E00404082(_t34 - 0x18, _t34, __ecx + 0x14);
				_t33 =  *((intOrPtr*)(_t34 + 8));
				_t31 = 0;
				_t36 =  *((intOrPtr*)(_t33 + 8));
				 *((intOrPtr*)(_t34 - 4)) = 0;
				if( *((intOrPtr*)(_t33 + 8)) > 0) {
					do {
						E00408FDE(_t34 - 0x18, _t36,  *((intOrPtr*)( *((intOrPtr*)(_t33 + 0xc)) + _t31 * 4)));
						E00410B45(__ebx, _t31, _t33, _t36,  *((intOrPtr*)(_t34 - 0x18))); // executed
						E00408670(_t34 - 0x18, __edx, _t36, 0x5c);
						_t31 = _t31 + 1;
						_t37 = _t31 -  *((intOrPtr*)(_t33 + 8));
					} while (_t31 <  *((intOrPtr*)(_t33 + 8)));
				}
				_push( *((intOrPtr*)(_t34 - 0x18)));
				return E00416BF9(L00408BFB(_t22, _t31, _t33, _t37));
			}






                                                            0x00412707
                                                            0x00412707
                                                            0x0041270e
                                                            0x0041271a
                                                            0x0041271f
                                                            0x00412722
                                                            0x00412724
                                                            0x00412727
                                                            0x0041272a
                                                            0x0041272c
                                                            0x00412735
                                                            0x0041273d
                                                            0x00412747
                                                            0x0041274c
                                                            0x0041274d
                                                            0x0041274d
                                                            0x0041272c
                                                            0x00412752
                                                            0x00412760

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0041270E
                                                              • Part of subcall function 00410B45: __EH_prolog3.LIBCMT ref: 00410B4C
                                                              • Part of subcall function 00410B45: CreateDirectoryW.KERNELBASE(?,00000000,0000000C), ref: 00410B5C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3$CreateDirectory
                                                            • String ID:
                                                            • API String ID: 2028411195-0
                                                            • Opcode ID: ce8aff6c3c48dc0627f43f54bdacbbe699a1c0c95c6fa51e321feb936b7a5f87
                                                            • Instruction ID: 7158408a5ca7f67ee087e461847e5e65f72557397dec4d11aca8ef9227536058
                                                            • Opcode Fuzzy Hash: ce8aff6c3c48dc0627f43f54bdacbbe699a1c0c95c6fa51e321feb936b7a5f87
                                                            • Instruction Fuzzy Hash: C5F030714005069ECB01AB96CD42DAEBB71BF50308F42403EA295764E2DE79B9C29B88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409322, Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E00409322(void** __ecx, intOrPtr __edi, intOrPtr _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t8;
				int _t11;
				signed int _t16;
				signed int _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_t23 = __edi;
				_t8 =  *0x42d330; // 0x6d29bea0
				_v8 = _t8 ^ _t25;
				_t24 = _a4;
				_t11 = FindNextFileW( *__ecx,  &_v600); // executed
				_t17 = _t16 & 0xffffff00 | _t11 != 0x00000000;
				_t27 = _t17;
				if(_t17 != 0) {
					E00409208( &_v600, _t22, _t24, _t27);
				}
				return E00416B12(_t17, _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}
















                                                            0x00409322
                                                            0x0040932b
                                                            0x00409332
                                                            0x00409337
                                                            0x00409345
                                                            0x0040934d
                                                            0x00409350
                                                            0x00409352
                                                            0x0040935a
                                                            0x0040935a
                                                            0x0040936e

                                                            APIs
                                                            • FindNextFileW.KERNELBASE(?,?), ref: 00409345
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileFindNext
                                                            • String ID:
                                                            • API String ID: 2029273394-0
                                                            • Opcode ID: ba9aaa0b6fb6c2b9981656ad43bb8ff57261fbd588c33b01968ce32a112db831
                                                            • Instruction ID: 50a54b88040d337bb30b5fd9b7dd6588afd92b3ccd64aa48da0fe6d42f572788
                                                            • Opcode Fuzzy Hash: ba9aaa0b6fb6c2b9981656ad43bb8ff57261fbd588c33b01968ce32a112db831
                                                            • Instruction Fuzzy Hash: D4F06531B11118ABC710EF64DD459EEB7B8AB49309B4400BBA801E7291EA34AE489B58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410D94, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E00410D94(intOrPtr* _a8) {
				WCHAR* _v0;
				signed int _t9;
				intOrPtr _t16;
				intOrPtr* _t17;

				_t17 = _a8;
				GetShortPathNameW(_v0, E00403FA3(_t17, 0x105), 0x105); // executed
				_t16 =  *_t17;
				_t9 = E0040116F(_t16);
				 *((short*)(_t16 + _t9 * 2)) = 0;
				 *(_t17 + 4) = _t9;
				asm("sbb eax, eax");
				return 0x103;
			}







                                                            0x00410d96
                                                            0x00410dae
                                                            0x00410db4
                                                            0x00410db9
                                                            0x00410dc0
                                                            0x00410dc4
                                                            0x00410dd0
                                                            0x00410dd5

                                                            APIs
                                                            • GetShortPathNameW.KERNEL32 ref: 00410DAE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: NamePathShort
                                                            • String ID:
                                                            • API String ID: 1295925010-0
                                                            • Opcode ID: 6fae0eace9c53e5ecf934df93bf2eb8d8b54f1cf5e6833b2f46910c6f4da1c54
                                                            • Instruction ID: a71ba42fb66b3bcab4a07320303146cf8ca67d7ce159cff85be98903d7b5ab96
                                                            • Opcode Fuzzy Hash: 6fae0eace9c53e5ecf934df93bf2eb8d8b54f1cf5e6833b2f46910c6f4da1c54
                                                            • Instruction Fuzzy Hash: 3DE09A712096106FE710AF6CEC4886BE2EDEFA8710B00083FF482D32A0DA689D518664
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410E98, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00410E98(WCHAR* _a4, intOrPtr* _a12) {
				WCHAR* _v0;
				int _t8;
				signed int _t9;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t15 = _a12;
				_t8 = GetTempFileNameW(_v0, _a4, 0, E00403FA3(_t15, 0x105)); // executed
				_t14 =  *_t15;
				_t9 = E0040116F(_t14);
				 *((short*)(_t14 + _t9 * 2)) = 0;
				 *(_t15 + 4) = _t9;
				return _t8;
			}








                                                            0x00410e9a
                                                            0x00410eb6
                                                            0x00410ebc
                                                            0x00410ec1
                                                            0x00410ec8
                                                            0x00410ecd
                                                            0x00410ed4

                                                            APIs
                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,00000000,00000105), ref: 00410EB6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileNameTemp
                                                            • String ID:
                                                            • API String ID: 745986568-0
                                                            • Opcode ID: 89ee732e139718721cb7d2bd7b42053a77cea1bfb762c2ad0debfd8e99515b9f
                                                            • Instruction ID: 1256aeead1201c2553e3fa3d07c8bf1e1a978611c619f05f4f725b231cb39a67
                                                            • Opcode Fuzzy Hash: 89ee732e139718721cb7d2bd7b42053a77cea1bfb762c2ad0debfd8e99515b9f
                                                            • Instruction Fuzzy Hash: B5E01A72209711AFD7109F69AC05A5BB7EDEF88B10F10442FB581A32A0C6B569158B69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407512, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E00407512(intOrPtr __ecx, void* __esi, void* __eflags) {
				void* _t19;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t32 = __eflags;
				_push(4);
				E00416B21(E0042156B, _t21, _t28, __esi);
				 *((intOrPtr*)(_t31 - 0x10)) = __ecx;
				 *(_t31 - 4) = 3;
				E004070DC(_t21, __ecx + 0x4a0, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 2;
				E004070AB(_t21, __ecx + 0x70, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 1;
				E004070AB(_t21, __ecx + 0x50, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 0;
				E004070AB(_t21, __ecx + 0x30, _t28, __ecx, _t32); // executed
				_t10 = _t31 - 4;
				 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
				_t19 = E004070AB(_t21, __ecx + 0x10, _t28, __ecx,  *_t10); // executed
				return E00416BF9(_t19);
			}








                                                            0x00407512
                                                            0x00407512
                                                            0x00407519
                                                            0x00407520
                                                            0x00407529
                                                            0x00407530
                                                            0x00407538
                                                            0x0040753c
                                                            0x00407544
                                                            0x00407548
                                                            0x00407550
                                                            0x00407554
                                                            0x00407559
                                                            0x00407559
                                                            0x00407560
                                                            0x0040756a

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00407519
                                                              • Part of subcall function 004070DC: __EH_prolog3.LIBCMT ref: 004070E3
                                                              • Part of subcall function 004070AB: __EH_prolog3.LIBCMT ref: 004070B2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID:
                                                            • API String ID: 431132790-0
                                                            • Opcode ID: a2dfb0107afbf5b9dcd330f123fec27b88cc5bbc74443d789a3f71815f2b0a93
                                                            • Instruction ID: df91484ffcd8d91b4707bd9d7c24a84f0edf961155dc25835aee18bb5dbfda0e
                                                            • Opcode Fuzzy Hash: a2dfb0107afbf5b9dcd330f123fec27b88cc5bbc74443d789a3f71815f2b0a93
                                                            • Instruction Fuzzy Hash: EDF05EB0808750DAD714EBB1D50639EBBA06F14308F90469DD452232C2CB7C7709C65B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004095E8, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E004095E8(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x42cb34; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}







                                                            0x004095e8
                                                            0x004095eb
                                                            0x004095ec
                                                            0x004095f4
                                                            0x004095f6
                                                            0x004095f6
                                                            0x004095f9
                                                            0x0040960b
                                                            0x00409619
                                                            0x0040961f

                                                            APIs
                                                            • WriteFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040960B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: b78c8f0ccf31d0e04b92ae2b446c5026141f050a122207180bcc39ec2181ce27
                                                            • Instruction ID: ce6839aeb588f27f8867698078c1af3c3476177279ac19fcad85c05ab0eaab47
                                                            • Opcode Fuzzy Hash: b78c8f0ccf31d0e04b92ae2b446c5026141f050a122207180bcc39ec2181ce27
                                                            • Instruction Fuzzy Hash: B0E0C275640208FBCB11CF95D941B9E7BBAAB08755F50C069F9149A260D339AA10EF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A99E, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041A99E(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x430e7c = _t6;
				if(_t6 != 0) {
					 *0x4342d8 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                                                            0x0041a9b3
                                                            0x0041a9b9
                                                            0x0041a9c0
                                                            0x0041a9c7
                                                            0x0041a9cd
                                                            0x0041a9c3
                                                            0x0041a9c3
                                                            0x0041a9c3

                                                            APIs
                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041A9B3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CreateHeap
                                                            • String ID:
                                                            • API String ID: 10892065-0
                                                            • Opcode ID: 6705fbeee63e26d030e15f6d43d3b95a5db92502f44a05acec2408635e691eb1
                                                            • Instruction ID: ad416ea7c8b49a8563809eaa466955e11c78e76269a931f48dce1fda58f8df30
                                                            • Opcode Fuzzy Hash: 6705fbeee63e26d030e15f6d43d3b95a5db92502f44a05acec2408635e691eb1
                                                            • Instruction Fuzzy Hash: E7D05E726503046ADB109FB16C097723BDC9384795F144836B81CC62A0E578D5A0CA08
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409535, Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00409535(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}





                                                            0x00409538
                                                            0x00409539
                                                            0x0040954b
                                                            0x00409559
                                                            0x0040955f

                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040954B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 5d9282babb6fcf3e00ba45c1f4ba6be9a1073a78d6b2a9e96cfd0fa35014f32c
                                                            • Instruction ID: a2cd3b8a2ea8a0c7dfc18a42d7b41d56f9abded95085a1eabc97c81f7edaf72b
                                                            • Opcode Fuzzy Hash: 5d9282babb6fcf3e00ba45c1f4ba6be9a1073a78d6b2a9e96cfd0fa35014f32c
                                                            • Instruction Fuzzy Hash: 7AE0EC75201208FFDB01CF90CC01F9E7BBDEB49755F208058E90496164C7759A14EB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004131B8, Relevance: 1.5, APIs: 1, Instructions: 17COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004131B8(struct HWND__** __ecx) {
				struct HWND__* _t3;
				signed int _t4;
				signed int _t5;
				signed int* _t8;

				_t8 = __ecx;
				_t3 =  *__ecx;
				if(_t3 != 0) {
					_t4 = DestroyWindow(_t3); // executed
					_t5 = _t4 & 0xffffff00 | _t4 != 0x00000000;
					if(_t5 != 0) {
						 *_t8 =  *_t8 & 0x00000000;
						return _t5;
					}
					return _t5;
				} else {
					return 1;
				}
			}







                                                            0x004131b9
                                                            0x004131bb
                                                            0x004131bf
                                                            0x004131c6
                                                            0x004131ce
                                                            0x004131d3
                                                            0x004131d5
                                                            0x00000000
                                                            0x004131d5
                                                            0x004131d9
                                                            0x004131c1
                                                            0x004131c4
                                                            0x004131c4

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: DestroyWindow
                                                            • String ID:
                                                            • API String ID: 3375834691-0
                                                            • Opcode ID: 53a8ea379b7d00479024dc1505115ad1629d640bb62f35358d3f99fe7c566f6c
                                                            • Instruction ID: 7298449ebcc8be9521e5c8a9423c1ed6b15aaaa6b217507720e11277dd58528e
                                                            • Opcode Fuzzy Hash: 53a8ea379b7d00479024dc1505115ad1629d640bb62f35358d3f99fe7c566f6c
                                                            • Instruction Fuzzy Hash: EAD01231714211A7DB705E2DB8447D633DD5F11723B15445AFC80CB240DB68DDC35A58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412E93, Relevance: 1.5, APIs: 1, Instructions: 17windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00412E93(void* __ecx) {
				int _t7;

				E0040FC41( *((intOrPtr*)(__ecx + 0x54)));
				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					 *((char*)(__ecx + 0x51)) = 1;
					return 0;
				} else {
					_t7 = PostMessageW( *(__ecx + 4), 0x8000, 0, 0); // executed
					return _t7;
				}
			}




                                                            0x00412e99
                                                            0x00412ea3
                                                            0x00412eb7
                                                            0x00412ebc
                                                            0x00412ea5
                                                            0x00412eaf
                                                            0x00412eb6
                                                            0x00412eb6

                                                            APIs
                                                              • Part of subcall function 0040FC41: WaitForSingleObject.KERNEL32(?,000000FF,0040B19F,00000000,?,?,?,004017D2,00000004,00401A97,?,?,?), ref: 0040FC47
                                                            • PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00412EAF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageObjectPostSingleWait
                                                            • String ID:
                                                            • API String ID: 1869837590-0
                                                            • Opcode ID: 54403d254d6dece21fdd30bf551ef77a2a7b988ed31ba3920b28ef320dc540f1
                                                            • Instruction ID: edc2d39b9b95d8753d24a0c99186f72b6eb965518e6ef86668453d206e3306f5
                                                            • Opcode Fuzzy Hash: 54403d254d6dece21fdd30bf551ef77a2a7b988ed31ba3920b28ef320dc540f1
                                                            • Instruction Fuzzy Hash: 2FD0A7314187A0AEE771A734BD06AE77BD9AB00304B0C08BEB4C291D55C7E5BC959764
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004091A4, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004091A4(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                                                            0x004091a5
                                                            0x004091a7
                                                            0x004091ac
                                                            0x004091c0
                                                            0x004091c3
                                                            0x004091ae
                                                            0x004091af
                                                            0x004091b7
                                                            0x004091bd
                                                            0x00000000
                                                            0x004091b9
                                                            0x004091bc
                                                            0x004091bc
                                                            0x004091b7

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CloseFind
                                                            • String ID:
                                                            • API String ID: 1863332320-0
                                                            • Opcode ID: ceed599eb068a9b020e5a439002c9ac0e64598cc8ca2fb7ebb587fd943f36f4f
                                                            • Instruction ID: e6f65a1a3ae19892a9c0185e9ae34a5b8dc5a998896a5f52585ecf58a904d7a6
                                                            • Opcode Fuzzy Hash: ceed599eb068a9b020e5a439002c9ac0e64598cc8ca2fb7ebb587fd943f36f4f
                                                            • Instruction Fuzzy Hash: D6D0127121412286DE745E3C78485C273D95B06370325076AF0B0D73E5D378DC835668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004073C7, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E004073C7(void* __edx, void* __eflags) {
				void* _t13;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				_push(0xc);
				E00416B54(E00421524, _t15, _t18, _t19);
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				_t13 = E00407148(_t15,  *((intOrPtr*)(_t20 + 8)), __edx, _t18, _t19, _t21,  *((intOrPtr*)(_t20 + 0xc)),  *((intOrPtr*)(_t20 + 0x10)),  *((intOrPtr*)(_t20 + 0x14)),  *((intOrPtr*)(_t20 + 0x18)),  *((intOrPtr*)(_t20 + 0x1c)),  *((intOrPtr*)(_t20 + 0x20)),  *((intOrPtr*)(_t20 + 0x24))); // executed
				return E00416BF9(_t13);
			}









                                                            0x004073c7
                                                            0x004073c7
                                                            0x004073ce
                                                            0x004073dc
                                                            0x004073ef
                                                            0x00407425

                                                            APIs
                                                            • __EH_prolog3_catch.LIBCMT ref: 004073CE
                                                              • Part of subcall function 00407148: __EH_prolog3.LIBCMT ref: 0040714F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3H_prolog3_catch
                                                            • String ID:
                                                            • API String ID: 1882928916-0
                                                            • Opcode ID: 28e09e3b734dcda83a9779a142a1a0cda2b6bb65c50fddb9d581310a60e990cb
                                                            • Instruction ID: 84ce1d22dcfe6e103ce055f2b8b6750ac12f05c8568533fdb2c5d1bbdb3a852e
                                                            • Opcode Fuzzy Hash: 28e09e3b734dcda83a9779a142a1a0cda2b6bb65c50fddb9d581310a60e990cb
                                                            • Instruction Fuzzy Hash: F2E0B632504109EBDF02AF80CC01EDD3F62BF48308F11815ABA04291A1C73AD9B1AB1A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409469, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00409469(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                                                            0x0040946a
                                                            0x0040946c
                                                            0x00409471
                                                            0x00409485
                                                            0x00409488
                                                            0x00409473
                                                            0x00409474
                                                            0x0040947c
                                                            0x00409482
                                                            0x00000000
                                                            0x0040947e
                                                            0x00409481
                                                            0x00409481
                                                            0x0040947c

                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE ref: 00409474
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: a6ad88fce9d677adcfcb3cedd9ab2708af14cbe569ef0bba0bbf37a308d24c96
                                                            • Instruction ID: b4a90a00154391669b7363a51cf89b3e9318aaf3395dcee91c52b1fe365849fc
                                                            • Opcode Fuzzy Hash: a6ad88fce9d677adcfcb3cedd9ab2708af14cbe569ef0bba0bbf37a308d24c96
                                                            • Instruction Fuzzy Hash: E9D0123150812146CA749E3C7C489C733D85B8637432107AAF8B4D32E5D774CC835664
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040FC1B, Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040FC1B(signed int* _a4) {
				void* _t2;
				int _t4;
				signed int* _t6;

				_t6 = _a4;
				_t2 =  *_t6;
				if(_t2 == 0) {
					L3:
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				}
				_t4 = FindCloseChangeNotification(_t2); // executed
				if(_t4 != 0) {
					goto L3;
				}
				return E0040FBFF();
			}






                                                            0x0040fc1c
                                                            0x0040fc20
                                                            0x0040fc24
                                                            0x0040fc38
                                                            0x0040fc38
                                                            0x00000000
                                                            0x0040fc3b
                                                            0x0040fc27
                                                            0x0040fc2f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,00401769,?,?,00401A40,?,?,?), ref: 0040FC27
                                                              • Part of subcall function 0040FBFF: GetLastError.KERNEL32(0040FC36,?,00401769,?,?,00401A40,?,?,?), ref: 0040FBFF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseErrorFindLastNotification
                                                            • String ID:
                                                            • API String ID: 1687624791-0
                                                            • Opcode ID: 154228df2ff763398198bb62a8d67d4fc733a41ee82627f3fea0a20968ac3d13
                                                            • Instruction ID: 1a5018943eef3921d8683e0e76473e6435a4a7453b84e3265ad686b3c7f8bf41
                                                            • Opcode Fuzzy Hash: 154228df2ff763398198bb62a8d67d4fc733a41ee82627f3fea0a20968ac3d13
                                                            • Instruction Fuzzy Hash: BAD0C77261821987E7709E75D80575773E87F64391F11483BBC81E26C4DA3CDC468669
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004134A7, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E004134A7(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t20;

				_push(0xc);
				E00416B54(E00422122, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t20 - 0x14)) = __ecx;
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				_t19 =  *((intOrPtr*)(__ecx + 0x1c)) + 0x70;
				 *((intOrPtr*)(_t20 - 0x18)) =  *((intOrPtr*)(__ecx + 0x1c)) + 0x70;
				 *(_t20 - 4) = 1;
				E00413320(__ebx, __ecx, __edx, __edi,  *((intOrPtr*)(__ecx + 0x1c)) + 0x70, _t19); // executed
				return E00416BF9(E00412E93(_t19));
			}




                                                            0x004134a7
                                                            0x004134ae
                                                            0x004134b3
                                                            0x004134b9
                                                            0x004134bd
                                                            0x004134c0
                                                            0x004134c3
                                                            0x004134c7
                                                            0x004134d8

                                                            APIs
                                                            • __EH_prolog3_catch.LIBCMT ref: 004134AE
                                                              • Part of subcall function 00413320: __EH_prolog3.LIBCMT ref: 00413327
                                                              • Part of subcall function 00412E93: PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00412EAF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3H_prolog3_catchMessagePost
                                                            • String ID:
                                                            • API String ID: 2353938149-0
                                                            • Opcode ID: a2f85cf47bc91e1651615562e7d259fc2dd1f942ff68663c9af53319ea72f271
                                                            • Instruction ID: 37150bc996be07024e23407f5ffd0e30b920fa78c3a9b78fcff4c7f849eb0ef8
                                                            • Opcode Fuzzy Hash: a2f85cf47bc91e1651615562e7d259fc2dd1f942ff68663c9af53319ea72f271
                                                            • Instruction Fuzzy Hash: 6CD05E71E052348BEF05FB9591023DD77615F10309F65409FA504AB282CBBD9F9687DE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417657, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00417657(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0x42a470);
				E00417B6C(__ebx, __edi, __esi);
				E0041AA6A();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E0041756C(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E0041768D();
				return E00417BB1( *((intOrPtr*)(_t18 - 0x1c)));
			}





                                                            0x00417657
                                                            0x00417659
                                                            0x0041765e
                                                            0x00417663
                                                            0x00417668
                                                            0x0041766f
                                                            0x00417675
                                                            0x00417678
                                                            0x0041767f
                                                            0x0041768c

                                                            APIs
                                                              • Part of subcall function 0041AA6A: __lock.LIBCMT ref: 0041AA6C
                                                            • __onexit_nolock.LIBCMT ref: 0041766F
                                                              • Part of subcall function 0041756C: __decode_pointer.LIBCMT ref: 0041757B
                                                              • Part of subcall function 0041756C: __decode_pointer.LIBCMT ref: 0041758B
                                                              • Part of subcall function 0041756C: __msize.LIBCMT ref: 004175A9
                                                              • Part of subcall function 0041756C: __realloc_crt.LIBCMT ref: 004175CD
                                                              • Part of subcall function 0041756C: __realloc_crt.LIBCMT ref: 004175E3
                                                              • Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 004175F5
                                                              • Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 00417603
                                                              • Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 0041760E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
                                                            • String ID:
                                                            • API String ID: 1316407801-0
                                                            • Opcode ID: f62d3a009e41f3d1527246ed07ccb787376bfc05c42d54a329812c2034400765
                                                            • Instruction ID: 50652295d12e053d6e041c28fa09360bfde02633ad2c970896e797852022faa4
                                                            • Opcode Fuzzy Hash: f62d3a009e41f3d1527246ed07ccb787376bfc05c42d54a329812c2034400765
                                                            • Instruction Fuzzy Hash: 36D01730D49208AACB00FBA6DC027DD76706F00328F60428AB024661D2CB7C6A918A1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004060EC, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E004060EC(void* __ecx, void* __eflags) {
				void* _t8;
				void* _t10;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;

				_t15 = __eflags;
				_push(4);
				E00416B54(E004212DE, _t10, _t12, _t13);
				 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
				_t8 = E00405E50(_t10, __ecx, _t12, _t13, _t15,  *((intOrPtr*)(_t14 + 8)),  *((intOrPtr*)(_t14 + 0xc)),  *((intOrPtr*)(_t14 + 0x10))); // executed
				return E00416BF9(_t8);
			}









                                                            0x004060ec
                                                            0x004060ec
                                                            0x004060f3
                                                            0x004060fb
                                                            0x00406105
                                                            0x0040611a

                                                            APIs
                                                            • __EH_prolog3_catch.LIBCMT ref: 004060F3
                                                              • Part of subcall function 00405E50: __EH_prolog3.LIBCMT ref: 00405E57
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3H_prolog3_catch
                                                            • String ID:
                                                            • API String ID: 1882928916-0
                                                            • Opcode ID: c4f1c16b8a69300ef20dc63a60a8572890e109b9ba60d17ba3b8912923893270
                                                            • Instruction ID: 66fb4eb1dd9ef290f0d14366853655bb72eb87facac39e3ebcd306175ee87c76
                                                            • Opcode Fuzzy Hash: c4f1c16b8a69300ef20dc63a60a8572890e109b9ba60d17ba3b8912923893270
                                                            • Instruction Fuzzy Hash: 0ED0C971204154E6DF017F51CC02B8D7722AB50308F51806EB610AD0A2C6399665AA2D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041AC6E, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 25%
                                                            			E0041AC6E(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E0041AB42(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}









                                                            0x0041ac73
                                                            0x0041ac75
                                                            0x0041ac77
                                                            0x0041ac7a
                                                            0x0041ac83

                                                            APIs
                                                            • _doexit.LIBCMT ref: 0041AC7A
                                                              • Part of subcall function 0041AB42: __lock.LIBCMT ref: 0041AB50
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041AB87
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041AB9C
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABC6
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABDC
                                                              • Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABE9
                                                              • Part of subcall function 0041AB42: __initterm.LIBCMT ref: 0041AC18
                                                              • Part of subcall function 0041AB42: __initterm.LIBCMT ref: 0041AC28
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __decode_pointer$__initterm$__lock_doexit
                                                            • String ID:
                                                            • API String ID: 1597249276-0
                                                            • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                            • Instruction ID: 32703e2425d6837e09d77f142ee0d03d1aa3b2b2739c8778ca234f578448a184
                                                            • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                            • Instruction Fuzzy Hash: CAB0923258424833DA202942EC03F467A0A87D0BA4F240021BB0C191A1A9A6B9A1919A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004095BB, Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E004095BB(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}




                                                            0x004095c9
                                                            0x004095d1
                                                            0x004095d5

                                                            APIs
                                                            • SetFileTime.KERNELBASE(?,?,?,?), ref: 004095C9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FileTime
                                                            • String ID:
                                                            • API String ID: 1425588814-0
                                                            • Opcode ID: 7c264c662d17f6748a7a7cd915a901ef6f14879ae262d0762ce06c4027b9e3d8
                                                            • Instruction ID: 57fa52493768e88d4c675f4e3ff19f9e09c23c003b41dcdd424065fe4b098c63
                                                            • Opcode Fuzzy Hash: 7c264c662d17f6748a7a7cd915a901ef6f14879ae262d0762ce06c4027b9e3d8
                                                            • Instruction Fuzzy Hash: A4C04C36158105FF8F124F70CC04C1ABBB2AB99312F10C918B155C4074C7328424EB12
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D84E, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040D84E(intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;

				if(_a4 != 0) {
					_t3 = E00417414(_t5, _t7, _t8, _a4); // executed
					return _t3;
				}
				return 0;
			}







                                                            0x0040d853
                                                            0x0040d85d
                                                            0x00000000
                                                            0x0040d862
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: _malloc
                                                            • String ID:
                                                            • API String ID: 1579825452-0
                                                            • Opcode ID: 20394390867618d9d500dbe07c14ad3570cdce1b0b705a712d1a182bf64edd08
                                                            • Instruction ID: 9fa39186f6ac70ea71dad3f96ae6bbd7c0e55b847be20752fb22e855cafe7a70
                                                            • Opcode Fuzzy Hash: 20394390867618d9d500dbe07c14ad3570cdce1b0b705a712d1a182bf64edd08
                                                            • Instruction Fuzzy Hash: 30B09232809200E9C6007AA1E90571BA6A05BA0765F24CC3FF05A62091C73898A8FA2A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410729, Relevance: 1.5, APIs: 1, Instructions: 7windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00410729(void* __ecx) {

				SendMessageW( *(__ecx + 4), 0x80, 1, 0); // executed
				return 1;
			}



                                                            0x00410735
                                                            0x0041073d

                                                            APIs
                                                            • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00410735
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 350c799ee5a2866a2e4a90e4137b8a2d5ebde71f238ef18c267c58f946dbb223
                                                            • Instruction ID: a4c26e9a3c29e24c211aff4f89e05bb1a464a78c4738ab71fc5642a945c5313b
                                                            • Opcode Fuzzy Hash: 350c799ee5a2866a2e4a90e4137b8a2d5ebde71f238ef18c267c58f946dbb223
                                                            • Instruction Fuzzy Hash: 2AB012383C0200B6E9300F00DE07F407A317700F02FD080D0F2842D1E186D754079A38
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041079E, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041079E(long __ecx, WCHAR* _a4, struct HWND__* _a8) {
				int _t3;

				_t3 = DialogBoxParamW( *0x43063c, _a4, _a8, E004106BD, __ecx); // executed
				return _t3;
			}




                                                            0x004107b2
                                                            0x004107b8

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: DialogParam
                                                            • String ID:
                                                            • API String ID: 665744214-0
                                                            • Opcode ID: 83a23e5f2a5779a97fcb816a9719aacd6dba0e44b669cde2decfec3171c3a416
                                                            • Instruction ID: 4304025832de87dfc64906559080df533071c10b9fbf0e2d02038323627bd0c9
                                                            • Opcode Fuzzy Hash: 83a23e5f2a5779a97fcb816a9719aacd6dba0e44b669cde2decfec3171c3a416
                                                            • Instruction Fuzzy Hash: 7DC09B71244341EFCB01DF40DD05D1A7A71FBD4301B144D5DF19011034D3654475DB1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411A09, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E00411A09(struct HWND__** __ecx, WCHAR* _a4) {
				signed int _t2;

				_t2 = SetWindowTextW( *__ecx, _a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}




                                                            0x00411a0f
                                                            0x00411a17
                                                            0x00411a1b

                                                            APIs
                                                            • SetWindowTextW.USER32(?,?), ref: 00411A0F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: TextWindow
                                                            • String ID:
                                                            • API String ID: 530164218-0
                                                            • Opcode ID: 0cac3e49e0ef37c63cf37dc2c3e09d3ba3e0a8b2ccbe1e6d84387eabad972059
                                                            • Instruction ID: 7285ec3e8b14015ba41abaafd2aaf9d1c9e421011ef37e859ac2b5d579ac4960
                                                            • Opcode Fuzzy Hash: 0cac3e49e0ef37c63cf37dc2c3e09d3ba3e0a8b2ccbe1e6d84387eabad972059
                                                            • Instruction Fuzzy Hash: E5B012312941079B8F110F30CC09C257AB1ABA6707B10C634B202C40B0DB328434FB05
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411C72, Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00411C72(struct HWND__** __ecx, int _a4) {
				long _t2;

				_t2 = SendMessageW( *__ecx, 0x402, _a4, 0); // executed
				return _t2;
			}




                                                            0x00411c7f
                                                            0x00411c85

                                                            APIs
                                                            • SendMessageW.USER32(?,00000402,?,00000000), ref: 00411C7F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: bfb020d162c2876dd643ce5794c777644e35f7b7a7e62491d4677c709d91e7d4
                                                            • Instruction ID: 069d68a9e1231b4b556b08c56050ac7aef345419fd7f8c3e29ec79a0a001832b
                                                            • Opcode Fuzzy Hash: bfb020d162c2876dd643ce5794c777644e35f7b7a7e62491d4677c709d91e7d4
                                                            • Instruction Fuzzy Hash: E9B012B1380201FBDA114F50CF0AF05BE71AB50701F50C064B348280F1C2B20821DB2E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411EBA, Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00411EBA(void* __ecx) {

				EndDialog( *(__ecx + 4), 0); // executed
				return 1;
			}



                                                            0x00411ebf
                                                            0x00411ec7

                                                            APIs
                                                            • EndDialog.USER32(?,00000000), ref: 00411EBF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Dialog
                                                            • String ID:
                                                            • API String ID: 1120787796-0
                                                            • Opcode ID: 101327961ffd129499788fe345791a6db2a53a88b219c9f9f512ba42817a1e78
                                                            • Instruction ID: bc8bd401b0eefbe877630cbd04d9267ddc83d6f7ecd5b816f849047cd02cc86e
                                                            • Opcode Fuzzy Hash: 101327961ffd129499788fe345791a6db2a53a88b219c9f9f512ba42817a1e78
                                                            • Instruction Fuzzy Hash: 28A0223C200300ABCA200F00EC0BB003F30BB20B0BFE080E0F000082B0C3AB8023EE88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418676, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00418676() {
				void* _t1;

				_t1 = E00418604(0); // executed
				return _t1;
			}




                                                            0x00418678
                                                            0x0041867e

                                                            APIs
                                                            • __encode_pointer.LIBCMT ref: 00418678
                                                              • Part of subcall function 00418604: TlsGetValue.KERNEL32(00000000,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 00418616
                                                              • Part of subcall function 00418604: TlsGetValue.KERNEL32(00000005,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041862D
                                                              • Part of subcall function 00418604: RtlEncodePointer.NTDLL(00000000,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041866B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Value$EncodePointer__encode_pointer
                                                            • String ID:
                                                            • API String ID: 2585649348-0
                                                            • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                            • Instruction ID: 5a5505d646162c0910025cdbf4f2e43bfc302516613f7e24b8ec1ce389676881
                                                            • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                            • Instruction Fuzzy Hash:
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D873, Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040D873(long _a4) {
				void* _t3;

				if(_a4 != 0) {
					_t3 = VirtualAlloc(0, _a4, 0x1000, 4); // executed
					return _t3;
				}
				return 0;
			}




                                                            0x0040d878
                                                            0x0040d88b
                                                            0x00000000
                                                            0x0040d88b
                                                            0x00000000

                                                            APIs
                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00407672,00020000), ref: 0040D88B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 5e2b473792147291d41c654fde43e170c2ab6d884310398fcc52e1e8375520d5
                                                            • Instruction ID: 1dee39851da255e603c81e70ab06536354d94f21e9d906fbcb05ba4b28f21589
                                                            • Opcode Fuzzy Hash: 5e2b473792147291d41c654fde43e170c2ab6d884310398fcc52e1e8375520d5
                                                            • Instruction Fuzzy Hash: 69C08C72A8C301BEEB215A908C09F06B2A06B54B92F20C835B3A9740D8C2B88004DA2E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D894, Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040D894(void* _a4) {
				void* _t3;
				int _t4;

				if(_a4 != 0) {
					_t4 = VirtualFree(_a4, 0, 0x8000); // executed
					return _t4;
				}
				return _t3;
			}





                                                            0x0040d899
                                                            0x0040d8a6
                                                            0x00000000
                                                            0x0040d8a6
                                                            0x0040d8ac

                                                            APIs
                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,0040A8A2,?,?,004070C5,00000004), ref: 0040D8A6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 6cb800e3b21292d7a01e8d915fab6851819cbdd43799a7b69ebaca4b63cd47eb
                                                            • Instruction ID: 0a782922268e19acd864cb2e137f5d939f388066cb3675ff771b179204057813
                                                            • Opcode Fuzzy Hash: 6cb800e3b21292d7a01e8d915fab6851819cbdd43799a7b69ebaca4b63cd47eb
                                                            • Instruction Fuzzy Hash: 5FC09B71744300BEE7216F04DD09B07B6606B50701F10C4357254340E847785414DE1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00416B12, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E00416B12(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x42d330; // 0x6d29bea0
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x430b08 = _t6;
				 *0x430b04 = _t22;
				 *0x430b00 = _t25;
				 *0x430afc = _t21;
				 *0x430af8 = _t27;
				 *0x430af4 = _t26;
				 *0x430b20 = ss;
				 *0x430b14 = cs;
				 *0x430af0 = ds;
				 *0x430aec = es;
				 *0x430ae8 = fs;
				 *0x430ae4 = gs;
				asm("pushfd");
				_pop( *0x430b18);
				 *0x430b0c =  *_t31;
				 *0x430b10 = _v0;
				 *0x430b1c =  &_a4;
				 *0x430a58 = 0x10001;
				_t11 =  *0x430b10; // 0x0
				 *0x430a0c = _t11;
				 *0x430a00 = 0xc0000409;
				 *0x430a04 = 1;
				_t12 =  *0x42d330; // 0x6d29bea0
				_v812 = _t12;
				_t13 =  *0x42d334; // 0x92d6415f
				_v808 = _t13;
				 *0x430a50 = IsDebuggerPresent();
				_push(1);
				E0041D30F(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x424afc);
				if( *0x430a50 == 0) {
					_push(1);
					E0041D30F(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b12
                                                            0x00416b18
                                                            0x00416b1a
                                                            0x00416b1a
                                                            0x00419a07
                                                            0x00419a0c
                                                            0x00419a12
                                                            0x00419a18
                                                            0x00419a1e
                                                            0x00419a24
                                                            0x00419a2a
                                                            0x00419a31
                                                            0x00419a38
                                                            0x00419a3f
                                                            0x00419a46
                                                            0x00419a4d
                                                            0x00419a54
                                                            0x00419a55
                                                            0x00419a5e
                                                            0x00419a66
                                                            0x00419a6e
                                                            0x00419a79
                                                            0x00419a83
                                                            0x00419a88
                                                            0x00419a8d
                                                            0x00419a97
                                                            0x00419aa1
                                                            0x00419aa6
                                                            0x00419aac
                                                            0x00419ab1
                                                            0x00419abd
                                                            0x00419ac2
                                                            0x00419ac4
                                                            0x00419acc
                                                            0x00419ad7
                                                            0x00419ae4
                                                            0x00419ae6
                                                            0x00419ae8
                                                            0x00419aed
                                                            0x00419b01

                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 00419AB7
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00419ACC
                                                            • UnhandledExceptionFilter.KERNEL32(00424AFC), ref: 00419AD7
                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00419AF3
                                                            • TerminateProcess.KERNEL32(00000000), ref: 00419AFA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                            • String ID:
                                                            • API String ID: 2579439406-0
                                                            • Opcode ID: a918bf17ed6755c8c93a3fec57836d41ced2a735aa7a5f4a8140f49a9c0783ae
                                                            • Instruction ID: a3ae943e02b669ff2a6498971f269fac364f055245c94165238cd76a69923d3c
                                                            • Opcode Fuzzy Hash: a918bf17ed6755c8c93a3fec57836d41ced2a735aa7a5f4a8140f49a9c0783ae
                                                            • Instruction Fuzzy Hash: B92103B4A103089FC750EF55FD64A54BBB4BB18305F50623AE41883B60E7B8A981CF4D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004187A8, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E004187A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x42a518);
				E00417B6C(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0041A9CE(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x424b30;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x42d840;
				E00419EA7(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E0041887D();
				E00419EA7(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x42d830; // 0x42d758
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0041C7F2( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E00417BB1(E00418886());
			}








                                                            0x004187a8
                                                            0x004187a8
                                                            0x004187aa
                                                            0x004187af
                                                            0x004187b4
                                                            0x004187ba
                                                            0x004187c2
                                                            0x004187c5
                                                            0x004187ca
                                                            0x004187cb
                                                            0x004187ce
                                                            0x004187d1
                                                            0x004187db
                                                            0x004187e0
                                                            0x004187e8
                                                            0x004187f0
                                                            0x00418800
                                                            0x00418800
                                                            0x00418806
                                                            0x00418809
                                                            0x00418810
                                                            0x00418817
                                                            0x00418820
                                                            0x00418826
                                                            0x0041882d
                                                            0x00418833
                                                            0x0041883a
                                                            0x00418841
                                                            0x00418847
                                                            0x0041884a
                                                            0x0041884d
                                                            0x00418852
                                                            0x00418854
                                                            0x00418859
                                                            0x00418859
                                                            0x0041885f
                                                            0x00418865
                                                            0x00418876

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042A518,0000000C,004188E3,00000000,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C), ref: 004187BA
                                                            • __crt_waiting_on_module_handle.LIBCMT ref: 004187C5
                                                              • Part of subcall function 0041A9CE: Sleep.KERNEL32(000003E8,?,?,004186CE,KERNEL32.DLL,?,0041873A,?,00417A43), ref: 0041A9DA
                                                              • Part of subcall function 0041A9CE: GetModuleHandleW.KERNEL32(?,?,?,004186CE,KERNEL32.DLL,?,0041873A,?,00417A43), ref: 0041A9E3
                                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004187EE
                                                            • GetProcAddress.KERNEL32(?,DecodePointer), ref: 004187FE
                                                            • __lock.LIBCMT ref: 00418820
                                                            • InterlockedIncrement.KERNEL32(0042D840), ref: 0041882D
                                                            • __lock.LIBCMT ref: 00418841
                                                            • ___addlocaleref.LIBCMT ref: 0041885F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                            • String ID: 0KB$DecodePointer$EncodePointer$KERNEL32.DLL
                                                            • API String ID: 1028249917-1715683212
                                                            • Opcode ID: 4eb2d2d8578cbe2392ac86c1bfc58d6bd58baf4d5e2e4a7a381ae62765332dd5
                                                            • Instruction ID: 4d8d1e5cb8e65c047eab52f700794214e88104f2c80f6a1ae4ac75198ce655ca
                                                            • Opcode Fuzzy Hash: 4eb2d2d8578cbe2392ac86c1bfc58d6bd58baf4d5e2e4a7a381ae62765332dd5
                                                            • Instruction Fuzzy Hash: 65117571A44701AED720EF76E845B9ABBF0AF44318F60452FE46993291CB7CA981CF5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A76E, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E0040A76E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t40;

				_push(8);
				E00416B21(E00421764, __ebx, __edi, __esi);
				_t39 = __ecx;
				 *((intOrPtr*)(_t40 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0x423648;
				 *((intOrPtr*)(__ecx + 8)) = 0x423320;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x423848;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x423434;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x423860;
				 *((intOrPtr*)(__ecx + 0x18)) = 0x423874;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0x423634;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x42391c;
				 *((intOrPtr*)(__ecx + 4)) = 0x423904;
				 *((intOrPtr*)(__ecx + 8)) = 0x4238f0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x4238d8;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x4238c4;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x4238b0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0x42389c;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0x423888;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(_t40 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((intOrPtr*)(__ecx + 0x54)) = 0;
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((char*)(_t40 - 4)) = 4;
				_t29 = E0040D873(0x20000);
				 *((intOrPtr*)(__ecx + 0x24)) = _t29;
				if(_t29 == 0) {
					 *((intOrPtr*)(_t40 - 0x10)) = 1;
					E004166E0(_t40 - 0x10, 0x4286f8);
				}
				return E00416BF9(_t39);
			}






                                                            0x0040a76e
                                                            0x0040a775
                                                            0x0040a77a
                                                            0x0040a77c
                                                            0x0040a77f
                                                            0x0040a786
                                                            0x0040a78d
                                                            0x0040a794
                                                            0x0040a79b
                                                            0x0040a7a2
                                                            0x0040a7a9
                                                            0x0040a7b2
                                                            0x0040a7b5
                                                            0x0040a7bb
                                                            0x0040a7c2
                                                            0x0040a7c9
                                                            0x0040a7d0
                                                            0x0040a7d7
                                                            0x0040a7de
                                                            0x0040a7e5
                                                            0x0040a7ec
                                                            0x0040a7ef
                                                            0x0040a7f2
                                                            0x0040a7f5
                                                            0x0040a7f8
                                                            0x0040a7fb
                                                            0x0040a803
                                                            0x0040a807
                                                            0x0040a80c
                                                            0x0040a811
                                                            0x0040a81c
                                                            0x0040a823
                                                            0x0040a823
                                                            0x0040a82f

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040A775
                                                            • __CxxThrowException@8.LIBCMT ref: 0040A823
                                                              • Part of subcall function 004166E0: RaiseException.KERNEL32(?,?,?,00000001), ref: 00416722
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ExceptionException@8H_prolog3RaiseThrow
                                                            • String ID: 3B$44B$46B$H6B$H8B$`8B$t8B
                                                            • API String ID: 1961742612-2761110864
                                                            • Opcode ID: b1548735c7c1e4b7c7ad086c812b5e9b681731f2be5f1e43510b18a1fb9d846f
                                                            • Instruction ID: c0ed3f570d0a6da7dbc72ff777c841338a477779ef8172924cce9f6de6350eef
                                                            • Opcode Fuzzy Hash: b1548735c7c1e4b7c7ad086c812b5e9b681731f2be5f1e43510b18a1fb9d846f
                                                            • Instruction Fuzzy Hash: 4F11B4B0A01B649EC720EF56A40414AFAF4BF50709B90C90FE0969BA11C7FCA649CF88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041397A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66memorystringwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0041397A(void* __ecx) {
				WCHAR* _t12;
				signed short _t15;
				signed int _t18;
				short* _t19;
				wchar_t* _t21;
				short* _t25;
				void* _t29;
				intOrPtr _t30;
				WCHAR* _t31;

				_t29 = __ecx;
				_t31 = __ecx + 0xc;
				if( *_t31 == 0) {
					FormatMessageW(0x1300, 0,  *(__ecx + 4), 0x400, _t31, 0, 0);
					_t12 =  *_t31;
					if(_t12 == 0) {
						_t21 = LocalAlloc(0, 0x40);
						 *_t31 = _t21;
						if(_t21 != 0) {
							_t30 =  *((intOrPtr*)(_t29 + 4));
							_t15 = E00413828(_t30) & 0x0000ffff;
							if(_t15 == 0) {
								_push(_t30);
								_push(L"Unknown error 0x%0lX");
							} else {
								_push(_t15 & 0x0000ffff);
								_push(L"IDispatch error #%d");
							}
							swprintf(_t21, 0x20);
						}
					} else {
						_t18 = lstrlenW(_t12);
						if(_t18 > 1) {
							_t25 =  *_t31 + _t18 * 2 - 2;
							if( *_t25 == 0xa) {
								 *_t25 = 0;
								_t19 =  *_t31 + _t18 * 2 - 4;
								if( *_t19 == 0xd) {
									 *_t19 = 0;
								}
							}
						}
					}
				}
				return  *_t31;
			}












                                                            0x0041397d
                                                            0x0041397f
                                                            0x00413986
                                                            0x0041399d
                                                            0x004139a3
                                                            0x004139a7
                                                            0x004139e3
                                                            0x004139e5
                                                            0x004139e9
                                                            0x004139eb
                                                            0x004139f4
                                                            0x004139fa
                                                            0x00413a07
                                                            0x00413a08
                                                            0x004139fc
                                                            0x004139ff
                                                            0x00413a00
                                                            0x00413a00
                                                            0x00413a10
                                                            0x00413a15
                                                            0x004139a9
                                                            0x004139aa
                                                            0x004139b3
                                                            0x004139b7
                                                            0x004139bf
                                                            0x004139c3
                                                            0x004139c8
                                                            0x004139d0
                                                            0x004139d4
                                                            0x004139d4
                                                            0x004139d0
                                                            0x004139bf
                                                            0x004139b3
                                                            0x004139a7
                                                            0x00413a1e

                                                            APIs
                                                            • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 0041399D
                                                            • lstrlenW.KERNEL32(00000000), ref: 004139AA
                                                            • LocalAlloc.KERNEL32(00000000,00000040), ref: 004139DD
                                                            • swprintf.LIBCMT ref: 00413A10
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AllocFormatLocalMessagelstrlenswprintf
                                                            • String ID: IDispatch error #%d$Unknown error 0x%0lX
                                                            • API String ID: 2315917530-2934499512
                                                            • Opcode ID: 1007b1d4e643293475a76aff5da773719591f5f1a5e5eba02f0138274c1fd98f
                                                            • Instruction ID: f10323cc770acb026687d76090fc9bd105fa0f7589f96fb523d81ed819a8aa42
                                                            • Opcode Fuzzy Hash: 1007b1d4e643293475a76aff5da773719591f5f1a5e5eba02f0138274c1fd98f
                                                            • Instruction Fuzzy Hash: CD110475200214ABC3209F96EC40DB777A9EF4538A760045FF185A7241C379AE92C7B8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004138BE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 95%
                                                            			E004138BE(void* __ebx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t26;
				void* _t31;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t37;
				signed int _t38;
				void* _t40;

				_t31 = __edx;
				_t38 = _t40 - 0x1f8c;
				E00417EA0(0x200c);
				_t15 =  *0x42d330; // 0x6d29bea0
				 *(_t38 + 0x1f88) = _t15 ^ _t38;
				E00417D60(0x2000, _t38 - 0x78, 0, 0x2000);
				GetModuleFileNameW(0, _t38 - 0x78, 0x2000);
				 *(_t38 - 0x7c) = 0;
				RegCreateKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted", 0, 0, 0, 0xf003f, 0, _t38 - 0x7c, 0);
				 *(_t38 - 0x80) = 0x20;
				RegSetValueExW( *(_t38 - 0x7c), _t38 - 0x78, 0, 4, _t38 - 0x80, 4);
				_t26 = RegCloseKey( *(_t38 - 0x7c));
				_t34 = _t32;
				_t37 = _t35;
				return E00416B12(_t26, __ebx,  *(_t38 + 0x1f88) ^ _t38, _t31, _t34, _t37);
			}














                                                            0x004138be
                                                            0x004138bf
                                                            0x004138cb
                                                            0x004138d0
                                                            0x004138d7
                                                            0x004138ec
                                                            0x004138fa
                                                            0x00413918
                                                            0x0041391b
                                                            0x00413931
                                                            0x00413938
                                                            0x00413941
                                                            0x0041394d
                                                            0x00413950
                                                            0x0041395d

                                                            APIs
                                                            • _memset.LIBCMT ref: 004138EC
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00002000), ref: 004138FA
                                                            • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0041391B
                                                            • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00413938
                                                            • RegCloseKey.ADVAPI32(?), ref: 00413941
                                                            Strings
                                                            • Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted, xrefs: 0041390E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateFileModuleNameValue_memset
                                                            • String ID: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
                                                            • API String ID: 2280741871-1848367592
                                                            • Opcode ID: 8082dd58de45f4dff7bdfc74514df0a5a51cbff410d03d1bd434bab7d9ddbba1
                                                            • Instruction ID: c7f43e50d42ea44c9d94cf56d05aa8b030a1cd6eea72f480556a558956673729
                                                            • Opcode Fuzzy Hash: 8082dd58de45f4dff7bdfc74514df0a5a51cbff410d03d1bd434bab7d9ddbba1
                                                            • Instruction Fuzzy Hash: A9112E72A00118AAE7309FA1EC48EEEBF7CEF45355F50002AFA15A3145D7345644CF68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00411A77, Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E00411A77(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t51;
				void* _t58;
				void* _t65;
				void* _t72;
				void* _t102;
				void* _t103;
				void* _t106;

				_t106 = __eflags;
				_t83 = __ebx;
				_push(0x3c);
				E00416B21(E00421EB1, __ebx, __edi, __esi);
				_t102 = __ecx;
				 *((intOrPtr*)(_t102 + 0x20)) = GetDlgItem( *(__ecx + 4), 0x3e9);
				E00411A09(_t102 + 0x20,  *((intOrPtr*)(_t102 + 0x28)));
				E0040320A(_t103 - 0x3c);
				 *(_t103 - 4) =  *(_t103 - 4) & 0x00000000;
				_t51 = E0040C825(_t103 - 0x3c, _t103 - 0x30, 0x45);
				 *(_t103 - 4) = 1;
				E00408639(_t103 - 0x3c, _t103, _t51);
				_push( *(_t103 - 0x30));
				 *(_t103 - 4) = 0;
				L00408BFB(__ebx, __edi, _t102, _t106);
				SetWindowTextW( *(_t102 + 4),  *(_t103 - 0x3c));
				E0040320A(_t103 - 0x30);
				 *(_t103 - 4) = 2;
				_t58 = E0040C825(_t103 - 0x30, _t103 - 0x24, 0x13);
				 *(_t103 - 4) = 3;
				E00408639(_t103 - 0x30, _t103, _t58);
				_push( *(_t103 - 0x24));
				 *(_t103 - 4) = 2;
				L00408BFB(__ebx, __edi, _t102, _t106);
				_t100 = SetDlgItemTextW;
				SetDlgItemTextW( *(_t102 + 4), 0x3e8,  *(_t103 - 0x30));
				E0040320A(_t103 - 0x24);
				 *(_t103 - 4) = 4;
				_t65 = E0040C825(_t103 - 0x24, _t103 - 0x18, 0x14);
				 *(_t103 - 4) = 5;
				E00408639(_t103 - 0x24, _t103, _t65);
				_push( *(_t103 - 0x18));
				 *(_t103 - 4) = 4;
				L00408BFB(__ebx, SetDlgItemTextW, _t102, _t106);
				SetDlgItemTextW( *(_t102 + 4), 1,  *(_t103 - 0x24));
				E0040320A(_t103 - 0x18);
				 *(_t103 - 4) = 6;
				_t72 = E0040C825(_t103 - 0x18, _t103 - 0x48, 0x15);
				 *(_t103 - 4) = 7;
				E00408639(_t103 - 0x18, _t103, _t72);
				_push( *((intOrPtr*)(_t103 - 0x48)));
				 *(_t103 - 4) = 6;
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				SetDlgItemTextW( *(_t102 + 4), 2,  *(_t103 - 0x18));
				E00410729(_t102);
				_push( *(_t103 - 0x18));
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				_push( *(_t103 - 0x24));
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				_push( *(_t103 - 0x30));
				L00408BFB(_t83, _t100, _t102, _t106);
				_push( *(_t103 - 0x3c));
				L00408BFB(_t83, _t100, _t102, _t106);
				return E00416BF9(0);
			}










                                                            0x00411a77
                                                            0x00411a77
                                                            0x00411a77
                                                            0x00411a7e
                                                            0x00411a83
                                                            0x00411a99
                                                            0x00411a9b
                                                            0x00411aa3
                                                            0x00411aa8
                                                            0x00411ab2
                                                            0x00411abb
                                                            0x00411abf
                                                            0x00411ac4
                                                            0x00411ac7
                                                            0x00411acb
                                                            0x00411ad8
                                                            0x00411ae1
                                                            0x00411aec
                                                            0x00411af0
                                                            0x00411af9
                                                            0x00411afd
                                                            0x00411b02
                                                            0x00411b05
                                                            0x00411b09
                                                            0x00411b11
                                                            0x00411b21
                                                            0x00411b26
                                                            0x00411b31
                                                            0x00411b35
                                                            0x00411b3e
                                                            0x00411b42
                                                            0x00411b47
                                                            0x00411b4a
                                                            0x00411b4e
                                                            0x00411b5d
                                                            0x00411b62
                                                            0x00411b6d
                                                            0x00411b71
                                                            0x00411b7a
                                                            0x00411b7e
                                                            0x00411b83
                                                            0x00411b86
                                                            0x00411b8a
                                                            0x00411b98
                                                            0x00411b9c
                                                            0x00411ba1
                                                            0x00411ba4
                                                            0x00411ba9
                                                            0x00411bac
                                                            0x00411bb1
                                                            0x00411bb4
                                                            0x00411bb9
                                                            0x00411bbc
                                                            0x00411bcb

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00411A7E
                                                            • GetDlgItem.USER32 ref: 00411A8D
                                                              • Part of subcall function 00411A09: SetWindowTextW.USER32(?,?), ref: 00411A0F
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00411AD8
                                                            • SetDlgItemTextW.USER32 ref: 00411B21
                                                            • SetDlgItemTextW.USER32 ref: 00411B5D
                                                            • SetDlgItemTextW.USER32 ref: 00411B98
                                                              • Part of subcall function 00410729: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00410735
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Text$Item$Window$H_prolog3MessageSend
                                                            • String ID:
                                                            • API String ID: 928829568-0
                                                            • Opcode ID: 25c92fc8b8b0deefc2545ec3da354cb65018240ee316845516b76547c056f4f6
                                                            • Instruction ID: b35731b5b207d9e68d92d03bfb8da29b4d9b2404adce00c662d50eeccadc7d86
                                                            • Opcode Fuzzy Hash: 25c92fc8b8b0deefc2545ec3da354cb65018240ee316845516b76547c056f4f6
                                                            • Instruction Fuzzy Hash: 46417C71800248EEDB01FBA5CD46EDDBBB8AF18319F10406EF145721E2DE796A05AB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412298, Relevance: 9.1, APIs: 6, Instructions: 51synchronizationwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00412298(void* __ecx, WCHAR* _a4, WCHAR* _a8, signed int _a12) {
				signed int _v8;
				WCHAR* _v12;
				void* _v16;
				void* _t37;

				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					MessageBoxW(0, _a4, _a8, _a12 | 0x00012000);
				} else {
					WaitForSingleObject( *(__ecx + 0x1c), 0xffffffff);
					_v16 = _a4;
					_v12 = _a8;
					_v8 = _a12;
					 *(_t37 + 0x14) = CreateEventW(0, 1, 0, 0);
					SendMessageW( *(_t37 + 4),  *(_t37 + 0x10), 0,  &_v16);
					CloseHandle( *(_t37 + 0x14));
					WaitForSingleObject( *(_t37 + 0x14), 0xffffffff);
				}
				return  *((intOrPtr*)(_t37 + 0xc));
			}







                                                            0x004122a0
                                                            0x004122a7
                                                            0x0041230b
                                                            0x004122a9
                                                            0x004122b5
                                                            0x004122bb
                                                            0x004122c2
                                                            0x004122cb
                                                            0x004122d4
                                                            0x004122e2
                                                            0x004122eb
                                                            0x004122f6
                                                            0x004122f8
                                                            0x00412317

                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 004122B5
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004122CE
                                                            • SendMessageW.USER32(?,?,00000000,?), ref: 004122E2
                                                            • CloseHandle.KERNEL32(?), ref: 004122EB
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004122F6
                                                            • MessageBoxW.USER32(00000000,?,?,?), ref: 0041230B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageObjectSingleWait$CloseCreateEventHandleSend
                                                            • String ID:
                                                            • API String ID: 3833482109-0
                                                            • Opcode ID: 44920d0e2901c177dbfc16c8892598c63b16038f6ad1b0fd031c99cde1ba5956
                                                            • Instruction ID: 05a45f98d4f0a9b26814a01a8a2d873a3ab4fc0ac20ff3765e6b91abeb90003f
                                                            • Opcode Fuzzy Hash: 44920d0e2901c177dbfc16c8892598c63b16038f6ad1b0fd031c99cde1ba5956
                                                            • Instruction Fuzzy Hash: B1111E76600208FFCB21DFA8DD84D9ABBF9FB083117108629F566D2160D774E9159F64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418FBB, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E00418FBB(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x42a608);
				E00417B6C(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00416A0D(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00418908(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00418908(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00418908(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00418908(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00416AB2(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E004190E1(_t48, _t53, _t55, _t57, _t61);
				return E00417BB1( *((intOrPtr*)(_t58 - 0x1c)));
			}







                                                            0x00418fbb
                                                            0x00418fbb
                                                            0x00418fbb
                                                            0x00418fbd
                                                            0x00418fc2
                                                            0x00418fc7
                                                            0x00418fc9
                                                            0x00418fcc
                                                            0x00418fcf
                                                            0x00418fd2
                                                            0x00418fd9
                                                            0x00418fea
                                                            0x00418ff8
                                                            0x00419006
                                                            0x0041900e
                                                            0x0041901c
                                                            0x00419022
                                                            0x00419029
                                                            0x0041902c
                                                            0x00419042
                                                            0x00419045
                                                            0x004190ba
                                                            0x004190c1
                                                            0x004190c8
                                                            0x004190d5

                                                            APIs
                                                            • __CreateFrameInfo.LIBCMT ref: 00418FE3
                                                              • Part of subcall function 00416A0D: __getptd.LIBCMT ref: 00416A1B
                                                              • Part of subcall function 00416A0D: __getptd.LIBCMT ref: 00416A29
                                                            • __getptd.LIBCMT ref: 00418FED
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __getptd.LIBCMT ref: 00418FFB
                                                            • __getptd.LIBCMT ref: 00419009
                                                            • __getptd.LIBCMT ref: 00419014
                                                            • _CallCatchBlock2.LIBCMT ref: 0041903A
                                                              • Part of subcall function 00416AB2: __CallSettingFrame@12.LIBCMT ref: 00416AFE
                                                              • Part of subcall function 004190E1: __getptd.LIBCMT ref: 004190F0
                                                              • Part of subcall function 004190E1: __getptd.LIBCMT ref: 004190FE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1602911419-0
                                                            • Opcode ID: 579217b7b214393cdbf3c318ed8681e717d909f332bb998e76287aaa26f99446
                                                            • Instruction ID: 6df8628facb7d4bd9ee04be2732a904581002fda0bb0b1463858a6040737a04e
                                                            • Opcode Fuzzy Hash: 579217b7b214393cdbf3c318ed8681e717d909f332bb998e76287aaa26f99446
                                                            • Instruction Fuzzy Hash: EF11D7B1D10209DFDB00EFA5C846AED7BB4FF09318F50806EF854AB251DB389A919F59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412207, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25registrywindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00412207(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t15;

				_t15 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _a4;
				 *__ecx = 0x423e38;
				 *((char*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(_t15 + 0x1c)) = CreateEventW(0, 1, 0, 0);
				 *((intOrPtr*)(_t15 + 8)) = RegisterWindowMessageW(L"CDialog::MSG_CREATE_MODAL_DLG");
				 *((intOrPtr*)(_t15 + 0x10)) = RegisterWindowMessageW(L"CDialog::MSG_CREATE_MESSAGE_BOX");
				return _t15;
			}




                                                            0x0041220c
                                                            0x0041220f
                                                            0x00412219
                                                            0x0041221f
                                                            0x00412233
                                                            0x0041223d
                                                            0x00412242
                                                            0x00412249

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412222
                                                            • RegisterWindowMessageW.USER32(CDialog::MSG_CREATE_MODAL_DLG,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412236
                                                            • RegisterWindowMessageW.USER32(CDialog::MSG_CREATE_MESSAGE_BOX,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412240
                                                            Strings
                                                            • CDialog::MSG_CREATE_MESSAGE_BOX, xrefs: 00412238
                                                            • CDialog::MSG_CREATE_MODAL_DLG, xrefs: 0041222E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: MessageRegisterWindow$CreateEvent
                                                            • String ID: CDialog::MSG_CREATE_MESSAGE_BOX$CDialog::MSG_CREATE_MODAL_DLG
                                                            • API String ID: 2418267205-1515309323
                                                            • Opcode ID: a1f4990a0d09b2e152a2986f9456ecd0e7071f3338bf2d159a5823b6b1520f03
                                                            • Instruction ID: 7a56bd6417bd55e6eff5826dd3db06749024ae003c45236857a91da1aefad182
                                                            • Opcode Fuzzy Hash: a1f4990a0d09b2e152a2986f9456ecd0e7071f3338bf2d159a5823b6b1520f03
                                                            • Instruction Fuzzy Hash: EEE06DB2710350AFD3309F79AC04927FAF8EF55701791892FF491D3210D2B8E9058B94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418D0A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E00418D0A(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;
				void* _t25;

				_t26 = __esi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00418908(_t23, __edx, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00418908(_t23, __edx, _t25, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00418908(_t23, __edx, _t25, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x42a6c0);
						E00417B6C(_t23, _t25, __esi);
						_t19 =  *((intOrPtr*)(E00418908(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E00417BB1(E004182E8(_t23, _t24, _t25, _t26));
					}
				}
			}









                                                            0x00418d0a
                                                            0x00418d0a
                                                            0x00418d14
                                                            0x00418d1b
                                                            0x00418d3a
                                                            0x00418d41
                                                            0x00418d48
                                                            0x00418d4d
                                                            0x00418d4d
                                                            0x00418d4d
                                                            0x00000000
                                                            0x00418d1d
                                                            0x00418d1d
                                                            0x00418d22
                                                            0x00418d4f
                                                            0x00418d4f
                                                            0x00418d52
                                                            0x00418d24
                                                            0x00418d29
                                                            0x00419914
                                                            0x00419916
                                                            0x0041991b
                                                            0x00419925
                                                            0x0041992a
                                                            0x0041992c
                                                            0x00419930
                                                            0x0041993b
                                                            0x0041993b
                                                            0x0041994c
                                                            0x0041994c
                                                            0x00418d22

                                                            APIs
                                                            • __getptd.LIBCMT ref: 00418D24
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __getptd.LIBCMT ref: 00418D35
                                                            • __getptd.LIBCMT ref: 00418D43
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                            • String ID: MOC$csm
                                                            • API String ID: 803148776-1389381023
                                                            • Opcode ID: 248be03a206c6a55057d12ce47396a5383d0cb7058c7b3fb3aa76f8b972b7f58
                                                            • Instruction ID: 27ff82cd3330833795aa0bae25d065d47b14e5a22e3d47f3feb9cea4d9ff3d65
                                                            • Opcode Fuzzy Hash: 248be03a206c6a55057d12ce47396a5383d0cb7058c7b3fb3aa76f8b972b7f58
                                                            • Instruction Fuzzy Hash: E9E01AB12202088FC710AA65D44ABA933A8AB58318F1600AAE408CF363CB3CD8C0955B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041CBF4, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E0041CBF4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x42a800);
				E00417B6C(__ebx, __edi, __esi);
				_t31 = E00418908(__ebx, __edx, __edi, _t35);
				_t15 =  *0x42e020; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00419EA7(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x42dc68; // 0x2331600
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x42d840;
								if(__eflags != 0) {
									_push(_t33);
									E004174DE(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x42dc68; // 0x2331600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x42dc68; // 0x2331600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0041CC8F();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0041A9FE(_t29, _t31, 0x20);
				}
				return E00417BB1(_t33);
			}










                                                            0x0041cbf4
                                                            0x0041cbf4
                                                            0x0041cbf4
                                                            0x0041cbf4
                                                            0x0041cbf6
                                                            0x0041cbfb
                                                            0x0041cc05
                                                            0x0041cc07
                                                            0x0041cc0f
                                                            0x0041cc30
                                                            0x0041cc36
                                                            0x0041cc3a
                                                            0x0041cc3d
                                                            0x0041cc40
                                                            0x0041cc46
                                                            0x0041cc48
                                                            0x0041cc4a
                                                            0x0041cc4d
                                                            0x0041cc53
                                                            0x0041cc55
                                                            0x0041cc57
                                                            0x0041cc5d
                                                            0x0041cc5f
                                                            0x0041cc60
                                                            0x0041cc65
                                                            0x0041cc5d
                                                            0x0041cc55
                                                            0x0041cc66
                                                            0x0041cc6b
                                                            0x0041cc6e
                                                            0x0041cc74
                                                            0x0041cc78
                                                            0x0041cc78
                                                            0x0041cc7e
                                                            0x0041cc85
                                                            0x0041cc17
                                                            0x0041cc17
                                                            0x0041cc17
                                                            0x0041cc1c
                                                            0x0041cc20
                                                            0x0041cc25
                                                            0x0041cc2d

                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041CC00
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __amsg_exit.LIBCMT ref: 0041CC20
                                                            • __lock.LIBCMT ref: 0041CC30
                                                            • InterlockedDecrement.KERNEL32(?), ref: 0041CC4D
                                                            • InterlockedIncrement.KERNEL32(02331600), ref: 0041CC78
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                            • String ID:
                                                            • API String ID: 4271482742-0
                                                            • Opcode ID: 0d130036e55c6d8c92cbe47bde502ac891a0113e34d28d943e827f390023fd41
                                                            • Instruction ID: 342b5fc9f3facb3c44125a49419e8c9e1354d52a9280f9b853240e0c54386efc
                                                            • Opcode Fuzzy Hash: 0d130036e55c6d8c92cbe47bde502ac891a0113e34d28d943e827f390023fd41
                                                            • Instruction Fuzzy Hash: CF018E31E84721ABD720AF2A9C8979A7760AF04B15F50011BE80467390DB3C6DD2CBDD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417A2C, Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 64%
                                                            			E00417A2C(intOrPtr __edx, void* __edi, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				intOrPtr _v4;
				DWORD* _v12;
				void* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				void* _t30;
				void* _t36;
				DWORD* _t41;
				intOrPtr* _t43;
				void* _t45;
				void* _t51;
				long _t54;
				void* _t64;
				intOrPtr _t65;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr _t71;
				void* _t74;

				_t64 = __edi;
				_t61 = __edx;
				_t74 = _v24;
				E0041AC84(_v28);
				asm("int3");
				_t71 = _t74;
				_push(_t67);
				E0041871A();
				_t30 = E004186FA(E00418714());
				if(_t30 != 0) {
					_t54 = _a4;
					 *((intOrPtr*)(_t30 + 0x54)) =  *((intOrPtr*)(_t54 + 0x54));
					 *((intOrPtr*)(_t30 + 0x58)) =  *((intOrPtr*)(_t54 + 0x58));
					_t61 =  *((intOrPtr*)(_t54 + 4));
					_push(_t54);
					 *((intOrPtr*)(_t30 + 4)) =  *((intOrPtr*)(_t54 + 4));
					E00418922(_t51, __edi, _t67, __eflags);
				} else {
					_t67 = _a4;
					if(E0041874E(E00418714(), _t67) == 0) {
						ExitThread(GetLastError());
					}
					 *_t67 = GetCurrentThreadId();
				}
				_t79 =  *0x434300;
				if( *0x434300 != 0) {
					_t45 = E0041AFE0(_t79, 0x434300);
					_pop(_t54);
					_t80 = _t45;
					if(_t45 != 0) {
						 *0x434300(); // executed
					}
				}
				E004179F7(_t61, _t64, _t67, _t80); // executed
				asm("int3");
				_push(_t71);
				_push(_t54);
				_push(_t51);
				_push(_t64);
				_t65 = _v4;
				_v24 = 0;
				_t81 = _t65;
				if(_t65 != 0) {
					_push(_t67);
					E0041871A();
					_t68 = E0041AE0D(1, 0x214);
					__eflags = _t68;
					if(__eflags == 0) {
						L17:
						_push(_t68);
						E004174DE(0, _t65, _t68, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E0041AD6E(_v12);
						}
						_t36 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, _t61, _t65, __eflags) + 0x6c)));
						_push(_t68);
						E004187A8(0, _t65, _t68, __eflags);
						 *(_t68 + 4) =  *(_t68 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t68 + 0x58)) = _a12;
						_t41 = _a20;
						 *((intOrPtr*)(_t68 + 0x54)) = _t65;
						__eflags = _t41;
						if(_t41 == 0) {
							_t41 =  &_a8;
						}
						_t36 = CreateThread(_v0, _a4, E00417A38, _t68, _a16, _t41); // executed
						__eflags = _t36;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L17;
						}
					}
				} else {
					_t43 = E0041AD48(_t81);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t43 = 0x16;
					E0041B335(_t61, _t65, _t67);
					_t36 = 0;
				}
				return _t36;
			}























                                                            0x00417a2c
                                                            0x00417a2c
                                                            0x00417a2c
                                                            0x00417a32
                                                            0x00417a37
                                                            0x00417a3b
                                                            0x00417a3d
                                                            0x00417a3e
                                                            0x00417a49
                                                            0x00417a50
                                                            0x00417a7c
                                                            0x00417a82
                                                            0x00417a88
                                                            0x00417a8b
                                                            0x00417a8e
                                                            0x00417a8f
                                                            0x00417a92
                                                            0x00417a52
                                                            0x00417a52
                                                            0x00417a63
                                                            0x00417a6c
                                                            0x00417a6c
                                                            0x00417a78
                                                            0x00417a78
                                                            0x00417a97
                                                            0x00417a9e
                                                            0x00417aa5
                                                            0x00417aaa
                                                            0x00417aab
                                                            0x00417aad
                                                            0x00417aaf
                                                            0x00417aaf
                                                            0x00417aad
                                                            0x00417ab5
                                                            0x00417aba
                                                            0x00417abd
                                                            0x00417ac0
                                                            0x00417ac1
                                                            0x00417ac2
                                                            0x00417ac3
                                                            0x00417ac8
                                                            0x00417acb
                                                            0x00417acd
                                                            0x00417aeb
                                                            0x00417aec
                                                            0x00417afd
                                                            0x00417b01
                                                            0x00417b03
                                                            0x00417b4f
                                                            0x00417b4f
                                                            0x00417b50
                                                            0x00417b56
                                                            0x00417b59
                                                            0x00417b5e
                                                            0x00417b63
                                                            0x00417b64
                                                            0x00417b64
                                                            0x00417b05
                                                            0x00417b0a
                                                            0x00417b0d
                                                            0x00417b0e
                                                            0x00417b16
                                                            0x00417b1a
                                                            0x00417b1d
                                                            0x00417b22
                                                            0x00417b25
                                                            0x00417b27
                                                            0x00417b29
                                                            0x00417b29
                                                            0x00417b3c
                                                            0x00417b42
                                                            0x00417b44
                                                            0x00417b4c
                                                            0x00000000
                                                            0x00417b4c
                                                            0x00417b44
                                                            0x00417acf
                                                            0x00417acf
                                                            0x00417ad4
                                                            0x00417ad5
                                                            0x00417ad6
                                                            0x00417ad7
                                                            0x00417ad8
                                                            0x00417ad9
                                                            0x00417adf
                                                            0x00417ae7
                                                            0x00417ae7
                                                            0x00417b6a

                                                            APIs
                                                              • Part of subcall function 0041AC84: _doexit.LIBCMT ref: 0041AC90
                                                            • ___set_flsgetvalue.LIBCMT ref: 00417A3E
                                                              • Part of subcall function 0041871A: TlsGetValue.KERNEL32(?,00417A43), ref: 00418723
                                                              • Part of subcall function 0041871A: __decode_pointer.LIBCMT ref: 00418735
                                                              • Part of subcall function 0041871A: TlsSetValue.KERNEL32(00000000,00417A43), ref: 00418744
                                                            • ___fls_getvalue@4.LIBCMT ref: 00417A49
                                                              • Part of subcall function 004186FA: TlsGetValue.KERNEL32(?,?,00417A4E,00000000), ref: 00418708
                                                            • ___fls_setvalue@8.LIBCMT ref: 00417A5C
                                                              • Part of subcall function 0041874E: __decode_pointer.LIBCMT ref: 0041875F
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00417A65
                                                            • ExitThread.KERNEL32 ref: 00417A6C
                                                            • GetCurrentThreadId.KERNEL32 ref: 00417A72
                                                            • __freefls@4.LIBCMT ref: 00417A92
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00417AA5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                            • String ID:
                                                            • API String ID: 132634196-0
                                                            • Opcode ID: 59a878c804150c6aee79d0defe103255293982fc60a67c3d91ea100309f4ac37
                                                            • Instruction ID: a767db3d9a0cbb97adf9c0627760bb36d5894593ed74e0cff43f53381f065771
                                                            • Opcode Fuzzy Hash: 59a878c804150c6aee79d0defe103255293982fc60a67c3d91ea100309f4ac37
                                                            • Instruction Fuzzy Hash: 2EE0B671904205A7CF103BF38C4A8DF7A7DAE05399B20042EB92093552EF2DDA9246AE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419368, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 28%
                                                            			E00419368(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E004192D6(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00416765(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00418D53(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E00418FBB(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E0041672C(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                                                            0x00419368
                                                            0x00419368
                                                            0x00419368
                                                            0x00419368
                                                            0x00419368
                                                            0x0041936d
                                                            0x00419371
                                                            0x00419373
                                                            0x00419376
                                                            0x00419377
                                                            0x00419378
                                                            0x0041937b
                                                            0x00419380
                                                            0x00419380
                                                            0x00419383
                                                            0x00419387
                                                            0x0041938a
                                                            0x0041938f
                                                            0x0041938c
                                                            0x0041938c
                                                            0x0041938c
                                                            0x00419392
                                                            0x00419397
                                                            0x00419399
                                                            0x0041939c
                                                            0x0041939f
                                                            0x004193a0
                                                            0x004193a8
                                                            0x004193ad
                                                            0x004193b1
                                                            0x004193b4
                                                            0x004193b7
                                                            0x004193bd
                                                            0x004193be
                                                            0x004193c1
                                                            0x004193cb
                                                            0x004193cf
                                                            0x00000000
                                                            0x004193cf
                                                            0x004193d5

                                                            APIs
                                                            • ___BuildCatchObject.LIBCMT ref: 0041937B
                                                              • Part of subcall function 004192D6: ___BuildCatchObjectHelper.LIBCMT ref: 0041930C
                                                            • _UnwindNestedFrames.LIBCMT ref: 00419392
                                                            • ___FrameUnwindToState.LIBCMT ref: 004193A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                            • String ID: csm
                                                            • API String ID: 2163707966-1018135373
                                                            • Opcode ID: 63a8c01b2cfbc2af873947d8df69a081f22c1dca01e2e4dd082ec105b9986c10
                                                            • Instruction ID: e7868efc18412c9e077cac95ed549032f2f14645f1f76b68ebafbd800c385fcd
                                                            • Opcode Fuzzy Hash: 63a8c01b2cfbc2af873947d8df69a081f22c1dca01e2e4dd082ec105b9986c10
                                                            • Instruction Fuzzy Hash: B301E831000109BBDF126E52CC45EEB7F6AEF48358F04811AFD28151A1DB7AD9A1DBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040BB73, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E0040BB73(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;

				_push(4);
				E00416B21(E0042198A, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t37 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0x4239bc;
				 *((intOrPtr*)(__ecx + 8)) = 0x4239d4;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x4239e8;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x423a54;
				 *((intOrPtr*)(__ecx + 4)) = 0x423a3c;
				 *((intOrPtr*)(__ecx + 8)) = 0x423a28;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x423a14;
				E0040320A(__ecx + 0x14);
				 *((intOrPtr*)(_t37 - 4)) = 0;
				E0040320A(__ecx + 0x48);
				 *((char*)(_t37 - 4)) = 1;
				E0040320A(__ecx + 0x5c);
				 *((intOrPtr*)(__ecx + 0x6c)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 4;
				 *((intOrPtr*)(__ecx + 0x68)) = 0x423798;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				return E00416BF9(__ecx);
			}




                                                            0x0040bb73
                                                            0x0040bb7a
                                                            0x0040bb81
                                                            0x0040bb84
                                                            0x0040bb8b
                                                            0x0040bb92
                                                            0x0040bb9b
                                                            0x0040bba1
                                                            0x0040bba7
                                                            0x0040bbae
                                                            0x0040bbb5
                                                            0x0040bbbc
                                                            0x0040bbc4
                                                            0x0040bbc7
                                                            0x0040bbcf
                                                            0x0040bbd3
                                                            0x0040bbd8
                                                            0x0040bbdb
                                                            0x0040bbde
                                                            0x0040bbe1
                                                            0x0040bbe8
                                                            0x0040bbef
                                                            0x0040bbf2
                                                            0x0040bbff

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3
                                                            • String ID: (:B$<:B$9B
                                                            • API String ID: 431132790-4150366847
                                                            • Opcode ID: 5fb88bcb03bd3d23b32fda4363389a208182e758c4177cff56519ff8fdf4f310
                                                            • Instruction ID: 14911f69345f63bfd26f3c457765aa6d4ab56a5ca1e715dcb9b32a0d5c853c2d
                                                            • Opcode Fuzzy Hash: 5fb88bcb03bd3d23b32fda4363389a208182e758c4177cff56519ff8fdf4f310
                                                            • Instruction Fuzzy Hash: 4D01C5F0600B608EC720DF56D04525AFBF4AF54709B80C95F95E697A61C7BCA248CF48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E2B2, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041E2B2(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0041B6F9( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0041E3E3( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0041AD48(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                                                            0x0041e2bc
                                                            0x0041e2c3
                                                            0x0041e2da
                                                            0x00000000
                                                            0x0041e2ca
                                                            0x0041e2cc
                                                            0x0041e2e6
                                                            0x0041e2eb
                                                            0x0041e2ee
                                                            0x0041e2f1
                                                            0x0041e31a
                                                            0x0041e321
                                                            0x0041e323
                                                            0x0041e3a4
                                                            0x0041e3bf
                                                            0x0041e3c1
                                                            0x0041e301
                                                            0x0041e301
                                                            0x0041e304
                                                            0x0041e306
                                                            0x0041e309
                                                            0x0041e309
                                                            0x0041e309
                                                            0x0041e309
                                                            0x00000000
                                                            0x0041e30f
                                                            0x0041e383
                                                            0x0041e383
                                                            0x0041e388
                                                            0x0041e38e
                                                            0x0041e391
                                                            0x0041e393
                                                            0x0041e396
                                                            0x0041e396
                                                            0x0041e396
                                                            0x0041e396
                                                            0x00000000
                                                            0x0041e39a
                                                            0x0041e325
                                                            0x0041e328
                                                            0x0041e32e
                                                            0x0041e331
                                                            0x0041e358
                                                            0x0041e35b
                                                            0x0041e361
                                                            0x00000000
                                                            0x00000000
                                                            0x0041e363
                                                            0x0041e366
                                                            0x00000000
                                                            0x00000000
                                                            0x0041e368
                                                            0x0041e368
                                                            0x0041e36e
                                                            0x0041e371
                                                            0x0041e2df
                                                            0x0041e2df
                                                            0x0041e37a
                                                            0x00000000
                                                            0x0041e37a
                                                            0x0041e333
                                                            0x0041e336
                                                            0x00000000
                                                            0x00000000
                                                            0x0041e33a
                                                            0x0041e34b
                                                            0x0041e351
                                                            0x0041e353
                                                            0x0041e356
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0041e356
                                                            0x0041e2f3
                                                            0x0041e2f6
                                                            0x0041e2f8
                                                            0x0041e2fe
                                                            0x0041e2fe
                                                            0x00000000
                                                            0x0041e2ce
                                                            0x0041e2ce
                                                            0x0041e2d3
                                                            0x0041e2d7
                                                            0x0041e2d7
                                                            0x00000000
                                                            0x0041e2d3
                                                            0x0041e2cc

                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041E2E6
                                                            • __isleadbyte_l.LIBCMT ref: 0041E31A
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0041B83B,?,00000000,00000000,?,?,?,?,0041B83B), ref: 0041E34B
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0041B83B,00000001,00000000,00000000,?,?,?,?,0041B83B), ref: 0041E3B9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: fae03e345869caab92b8b7168c71cc03d22abb853247b91a096b241b8bbe7333
                                                            • Instruction ID: 06cc490f68b29341d32c057b6d3aa829f801d5644f6318d0223809272f2e9e98
                                                            • Opcode Fuzzy Hash: fae03e345869caab92b8b7168c71cc03d22abb853247b91a096b241b8bbe7333
                                                            • Instruction Fuzzy Hash: C3310E34A0028AEFDB20CF66C891DEE7BA5BF01311F1445AAECA48B290D334DD81DB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412D6E, Relevance: 6.1, APIs: 4, Instructions: 87memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E00412D6E(intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v16;
				char _v32;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t28;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr* _t42;
				intOrPtr _t46;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t60;

				_t42 = __imp__#4;
				_t58 = _a4;
				if( *((char*)(_t58 + 0x118)) != 0) {
					L11:
					_t59 =  *((intOrPtr*)(_t58 + 0x11c));
					 *_a8 =  *_t42(_t59, E00417DDA(_t59));
					__eflags = 0;
					return 0;
				}
				_t56 = _t58 + 0x131;
				if( *_t56 == 0) {
					E00412902(_t42,  &_v56, _t56, _t58, __eflags);
					_t46 =  *((intOrPtr*)(_t58 + 0x6c));
					_v32 =  *_t56;
					 *((intOrPtr*)(_t58 + 0x12c)) = _t46;
					_t28 =  *0x430640; // 0x612618
					__eflags = _t28;
					if(_t28 != 0) {
						 *((intOrPtr*)( *_t28 + 0x28))(_t28, _t46, 8);
					}
					E0040FC41( *((intOrPtr*)(_t58 + 0xbc)));
					_t31 =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0x68))))( &_v56, 0x1f5);
					__eflags = _t31 - 2;
					_t32 =  *0x430640; // 0x612618
					if(_t31 != 2) {
						__eflags = _t32;
						if(_t32 != 0) {
							 *((intOrPtr*)( *_t32 + 0x28))(_t32,  *((intOrPtr*)(_t58 + 0x12c)), 2);
						}
						goto L10;
					} else {
						__eflags = _t32;
						if(__eflags == 0) {
							L10:
							_t57 = _v16;
							E004090CA(_t58 + 0x11c, _t60,  *_t42(_t57, E00417DDA(_t57)));
							_push(_v16);
							 *((char*)(_t58 + 0x118)) = 1;
							L00408BFB(_t42, _t57, _t58, __eflags);
							goto L11;
						}
						 *((intOrPtr*)( *_t32 + 0x28))(_t32,  *((intOrPtr*)(_t58 + 0x12c)), 4);
						_push(_v16);
						L00408BFB(_t42, _t56, _t58, __eflags);
						goto L2;
					}
				}
				L2:
				return 0x80004004;
			}




















                                                            0x00412d75
                                                            0x00412d7c
                                                            0x00412d87
                                                            0x00412e48
                                                            0x00412e48
                                                            0x00412e5c
                                                            0x00412e5e
                                                            0x00000000
                                                            0x00412e5e
                                                            0x00412d8d
                                                            0x00412d96
                                                            0x00412da5
                                                            0x00412dac
                                                            0x00412daf
                                                            0x00412db2
                                                            0x00412db8
                                                            0x00412dbd
                                                            0x00412dbf
                                                            0x00412dc7
                                                            0x00412dc7
                                                            0x00412dd0
                                                            0x00412de3
                                                            0x00412de5
                                                            0x00412de8
                                                            0x00412ded
                                                            0x00412e0c
                                                            0x00412e0e
                                                            0x00412e1b
                                                            0x00412e1b
                                                            0x00000000
                                                            0x00412def
                                                            0x00412def
                                                            0x00412df1
                                                            0x00412e1e
                                                            0x00412e1e
                                                            0x00412e33
                                                            0x00412e38
                                                            0x00412e3b
                                                            0x00412e42
                                                            0x00000000
                                                            0x00412e47
                                                            0x00412dfe
                                                            0x00412e01
                                                            0x00412e04
                                                            0x00000000
                                                            0x00412e09
                                                            0x00412ded
                                                            0x00412d98
                                                            0x00000000

                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00412E22
                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00412E2A
                                                            • _wcslen.LIBCMT ref: 00412E4F
                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00412E57
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: AllocString_wcslen
                                                            • String ID:
                                                            • API String ID: 1837159753-0
                                                            • Opcode ID: 062f1729fe61ea59d46fd9248896aa2d3cc6dd8e4d692e0a712a37658542653c
                                                            • Instruction ID: e9c7c381ef061b1e0d686df2e615424e472c72a5b61756d386b86c00ce312959
                                                            • Opcode Fuzzy Hash: 062f1729fe61ea59d46fd9248896aa2d3cc6dd8e4d692e0a712a37658542653c
                                                            • Instruction Fuzzy Hash: 1E31D171200304AFD715DB60D841FEA77B9AF49310F10846EF685D7291CB78ADA1CBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409C01, Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E00409C01(struct HWND__** __ecx, intOrPtr* _a4) {
				int _t10;
				signed int _t11;
				signed int _t12;
				signed int _t13;
				signed int _t15;
				int _t17;
				struct HWND__** _t25;
				intOrPtr _t26;
				intOrPtr* _t28;

				_t28 = _a4;
				 *(_t28 + 4) =  *(_t28 + 4) & 0x00000000;
				_t25 = __ecx;
				 *((short*)( *_t28)) = 0;
				_t17 = GetWindowTextLengthW( *__ecx);
				if(_t17 != 0) {
					_t10 = GetWindowTextW( *_t25, E00403FA3(_t28, _t17), _t17 + 1);
					_t26 =  *_t28;
					_t11 = E0040116F(_t26);
					 *((short*)(_t26 + _t11 * 2)) = 0;
					 *(_t28 + 4) = _t11;
					if(_t10 != 0) {
						_t12 = 1;
					} else {
						_t13 = GetLastError();
						asm("sbb eax, eax");
						_t12 =  ~( ~_t13);
					}
				} else {
					_t15 = GetLastError();
					asm("sbb eax, eax");
					_t12 =  ~_t15 + 1;
				}
				return _t12;
			}












                                                            0x00409c03
                                                            0x00409c07
                                                            0x00409c0e
                                                            0x00409c12
                                                            0x00409c1d
                                                            0x00409c21
                                                            0x00409c3d
                                                            0x00409c43
                                                            0x00409c48
                                                            0x00409c4f
                                                            0x00409c53
                                                            0x00409c58
                                                            0x00409c68
                                                            0x00409c5a
                                                            0x00409c5a
                                                            0x00409c62
                                                            0x00409c64
                                                            0x00409c64
                                                            0x00409c23
                                                            0x00409c23
                                                            0x00409c2b
                                                            0x00409c2d
                                                            0x00409c2d
                                                            0x00409c6d

                                                            APIs
                                                            • GetWindowTextLengthW.USER32 ref: 00409C17
                                                            • GetLastError.KERNEL32 ref: 00409C23
                                                            • GetWindowTextW.USER32 ref: 00409C3D
                                                            • GetLastError.KERNEL32(?,?,00000000,00000000,00000000), ref: 00409C5A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastTextWindow$Length
                                                            • String ID:
                                                            • API String ID: 3440162706-0
                                                            • Opcode ID: d29d1dabf7f37da445bba4c44006a9e540a00eec02cc97a31967c6722456d859
                                                            • Instruction ID: 0b3f5f8dc11d9cb6f52a592932b536abcf6f7bd2eff94a09abaf9dd0597dadaa
                                                            • Opcode Fuzzy Hash: d29d1dabf7f37da445bba4c44006a9e540a00eec02cc97a31967c6722456d859
                                                            • Instruction Fuzzy Hash: 5E018675714202ABD7205F78D888826B3FCEF59716710443AF447D32A0DF759C128B2D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C958, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E0041C958(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x42a7e0);
				E00417B6C(__ebx, __edi, __esi);
				_t28 = E00418908(__ebx, __edx, __edi, _t30);
				_t13 =  *0x42e020; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E00419EA7(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x42d830; // 0x42d758
					 *((intOrPtr*)(_t29 - 0x1c)) = E0041C91A(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E0041C9C2();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00418908(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0041A9FE(_t25, _t26, 0x20);
				}
				return E00417BB1(_t28);
			}







                                                            0x0041c958
                                                            0x0041c958
                                                            0x0041c958
                                                            0x0041c958
                                                            0x0041c958
                                                            0x0041c95a
                                                            0x0041c95f
                                                            0x0041c969
                                                            0x0041c96b
                                                            0x0041c973
                                                            0x0041c997
                                                            0x0041c999
                                                            0x0041c99f
                                                            0x0041c9a3
                                                            0x0041c9a6
                                                            0x0041c9b1
                                                            0x0041c9b4
                                                            0x0041c9bb
                                                            0x0041c975
                                                            0x0041c975
                                                            0x0041c979
                                                            0x00000000
                                                            0x0041c97b
                                                            0x0041c980
                                                            0x0041c980
                                                            0x0041c979
                                                            0x0041c985
                                                            0x0041c989
                                                            0x0041c98e
                                                            0x0041c996

                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041C964
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __getptd.LIBCMT ref: 0041C97B
                                                            • __amsg_exit.LIBCMT ref: 0041C989
                                                            • __lock.LIBCMT ref: 0041C999
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                            • String ID:
                                                            • API String ID: 3521780317-0
                                                            • Opcode ID: 949d4ace6e436c1979df6c52288330fee53b2dc502489d74444a9079756289a3
                                                            • Instruction ID: cd17e753ec4a28575be3e050727088d2e2c04aa294c6b3e927e7230be7d31612
                                                            • Opcode Fuzzy Hash: 949d4ace6e436c1979df6c52288330fee53b2dc502489d74444a9079756289a3
                                                            • Instruction Fuzzy Hash: 30F062B2EA07048AD720BB6688427DD76A06B00718F50415FE454672D1CF3C69C18B5E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041224C, Relevance: 6.0, APIs: 4, Instructions: 28synchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041224C(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t20;

				_t20 = __ecx;
				WaitForSingleObject( *(__ecx + 0x1c), 0xffffffff);
				 *(_t20 + 0x14) = CreateEventW(0, 1, 0, 0);
				E00411C40(_t20 + 4,  *((intOrPtr*)(_t20 + 8)), _a8, _a4);
				WaitForSingleObject( *(_t20 + 0x14), 0xffffffff);
				CloseHandle( *(_t20 + 0x14));
				return  *((intOrPtr*)(_t20 + 0xc));
			}




                                                            0x00412254
                                                            0x0041225b
                                                            0x00412275
                                                            0x0041227b
                                                            0x00412285
                                                            0x0041228a
                                                            0x00412295

                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041225B
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00412264
                                                              • Part of subcall function 00411C40: PostMessageW.USER32(?,?,?,?), ref: 00411C4E
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412285
                                                            • CloseHandle.KERNEL32(?), ref: 0041228A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: ObjectSingleWait$CloseCreateEventHandleMessagePost
                                                            • String ID:
                                                            • API String ID: 1259710111-0
                                                            • Opcode ID: 688a9044c8813bffc1647393a113ac4df378807a7bac1586038bcedb71cd57a5
                                                            • Instruction ID: 587c63874120dfd8d7cb41ac1519f56cfecb811f02ec18e29ab156a93c3206fa
                                                            • Opcode Fuzzy Hash: 688a9044c8813bffc1647393a113ac4df378807a7bac1586038bcedb71cd57a5
                                                            • Instruction Fuzzy Hash: 3BF0F835104601AFDB31AF25ED04C67BBB9EB847217108A29F8A2926B4CA31A8169B71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404EF2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E00404EF2(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t106;
				intOrPtr _t116;
				signed char* _t124;
				void* _t130;
				void* _t141;
				signed int _t159;
				signed int _t161;
				signed int _t162;
				signed char* _t163;
				signed char* _t165;
				signed int _t167;
				void* _t168;

				_t159 = __edx;
				_push(0x5c);
				E00416B8A(E00421117, __ebx, __edi, __esi);
				_t165 =  *(_t168 + 8);
				_t141 = __ecx;
				 *(_t168 - 0x2c) = _t165;
				 *((intOrPtr*)(_t168 - 0x3c)) = E00403D5E( *((intOrPtr*)(__ecx + 0x18)), __edx, __edi);
				E00408B5A();
				E00408A61(_t165,  *((intOrPtr*)(_t168 - 0x3c)));
				_t161 = 0;
				 *(_t168 - 0x30) = 0;
				 *((intOrPtr*)(_t168 - 0x44)) = 0;
				 *((intOrPtr*)(_t168 - 0x48)) = 0;
				if( *((intOrPtr*)(_t168 - 0x3c)) > 0) {
					while(1) {
						 *((intOrPtr*)(_t168 - 0x60)) = 0x423364;
						 *(_t168 - 0x5c) = _t161;
						 *(_t168 - 0x58) = _t161;
						_push(_t168 - 0x68);
						 *(_t168 - 4) = _t161;
						E00404E79(_t141, _t165, _t161, _t165, __eflags);
						 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
						_push(_t161);
						L00408BFB(_t141, _t161, _t165, __eflags);
						_t162 =  *(_t165[0xc] + _t165[8] * 4 - 4);
						_t106 = L00403C4E( *(_t141 + 0x18), _t162);
						_t150 =  *(_t141 + 0x18);
						 *(_t168 - 0x21) = _t106;
						_t167 = _t106 & 0xf;
						E00403C65( *(_t141 + 0x18), _t168 - 0x20, _t167);
						__eflags = _t167 - 8;
						if(_t167 > 8) {
							goto L23;
						}
						__eflags = _t167;
						 *(_t168 - 0x38) = 0;
						 *(_t168 - 0x34) = 0;
						if(_t167 > 0) {
							 *(_t168 - 0x40) = 0;
							 *(_t168 - 0x28) = _t168 + _t167 - 0x21;
							do {
								_t150 =  *(_t168 - 0x40);
								asm("cdq");
								 *(_t168 - 0x38) =  *(_t168 - 0x38) | E00416FA0( *( *(_t168 - 0x28)) & 0x000000ff,  *(_t168 - 0x40), _t159);
								 *(_t168 - 0x34) =  *(_t168 - 0x34) | _t159;
								 *(_t168 - 0x28) =  *(_t168 - 0x28) - 1;
								 *(_t168 - 0x40) =  &(( *(_t168 - 0x40))[8]);
								_t167 = _t167 - 1;
								__eflags = _t167;
							} while (_t167 != 0);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000010;
						 *_t162 =  *(_t168 - 0x38);
						 *(_t162 + 4) =  *(_t168 - 0x34);
						if(( *(_t168 - 0x21) & 0x00000010) == 0) {
							_t116 = 1;
							__eflags = 1;
							 *((intOrPtr*)(_t162 + 0x14)) = 1;
						} else {
							 *((intOrPtr*)(_t162 + 0x14)) = E00403D5E( *(_t141 + 0x18), _t159, _t162);
							_t150 =  *(_t141 + 0x18);
							_t116 = E00403D5E( *(_t141 + 0x18), _t159, _t162);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000020;
						 *((intOrPtr*)(_t162 + 0x18)) = _t116;
						if(( *(_t168 - 0x21) & 0x00000020) != 0) {
							_t167 = E00403D5E( *(_t141 + 0x18), _t159, _t162);
							_t76 = _t162 + 8; // 0x107
							E0040140A(_t76, _t168, _t167);
							_t150 =  *(_t141 + 0x18);
							E00403C65( *(_t141 + 0x18),  *((intOrPtr*)(_t162 + 0x10)), _t167);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000080;
						if(( *(_t168 - 0x21) & 0x00000080) != 0) {
							goto L23;
						} else {
							 *(_t168 - 0x30) =  *(_t168 - 0x30) +  *((intOrPtr*)(_t162 + 0x14));
							 *((intOrPtr*)(_t168 - 0x44)) =  *((intOrPtr*)(_t168 - 0x44)) +  *((intOrPtr*)(_t162 + 0x18));
							 *((intOrPtr*)(_t168 - 0x48)) =  *((intOrPtr*)(_t168 - 0x48)) + 1;
							_t165 =  *(_t168 - 0x2c);
							__eflags =  *((intOrPtr*)(_t168 - 0x48)) -  *((intOrPtr*)(_t168 - 0x3c));
							if( *((intOrPtr*)(_t168 - 0x48)) <  *((intOrPtr*)(_t168 - 0x3c))) {
								_t161 = 0;
								__eflags = 0;
								continue;
							} else {
								goto L1;
							}
						}
						goto L29;
					}
					goto L23;
				} else {
					L1:
					_t163 =  &(_t165[0x14]);
					 *(_t168 - 0x28) =  *((intOrPtr*)(_t168 - 0x44)) - 1;
					E00408B5A();
					_t150 = _t163;
					E00408A61(_t163,  *(_t168 - 0x28));
					_t124 =  *(_t168 - 0x28);
					if(_t124 > 0) {
						 *(_t168 - 0x2c) = _t124;
						do {
							 *(_t168 - 0x38) = E00403D5E( *(_t141 + 0x18), _t159, _t163);
							_t130 = E00403D5E( *(_t141 + 0x18), _t159, _t163);
							_t150 = _t163;
							E00403DE7(_t163,  *(_t168 - 0x38), _t130);
							_t20 = _t168 - 0x2c;
							 *_t20 =  *(_t168 - 0x2c) - 1;
						} while ( *_t20 != 0);
					}
					_t162 =  *(_t168 - 0x30);
					if(_t162 <  *(_t168 - 0x28)) {
						L23:
						E00403C2E(_t150, _t162);
						goto L24;
					} else {
						_t162 = _t162 -  *(_t168 - 0x28);
						_t150 =  &(_t165[0x28]);
						 *(_t168 - 0x2c) =  &(_t165[0x28]);
						E00408A61( &(_t165[0x28]), _t162);
						if(_t162 != 1) {
							__eflags = _t162;
							if(_t162 > 0) {
								do {
									E0040105E( *(_t168 - 0x2c), E00403D5E( *(_t141 + 0x18), _t159, _t162));
									_t162 = _t162 - 1;
									__eflags = _t162;
								} while (_t162 != 0);
							}
						} else {
							_t162 = 0;
							if( *(_t168 - 0x30) > 0) {
								while(1) {
									_t150 = _t165;
									if(E00401237(_t165, _t162) < 0) {
										break;
									}
									_t162 = _t162 + 1;
									if(_t162 <  *(_t168 - 0x30)) {
										continue;
									} else {
									}
									goto L25;
								}
								L24:
								_t150 =  *(_t168 - 0x2c);
								E0040105E( *(_t168 - 0x2c), _t162);
							}
							L25:
							if( *((intOrPtr*)(_t167 + 0x30)) != 1) {
								goto L23;
							}
						}
					}
				}
				L29:
				return E00416C0D(_t141, _t162, _t167);
			}















                                                            0x00404ef2
                                                            0x00404ef2
                                                            0x00404ef9
                                                            0x00404efe
                                                            0x00404f01
                                                            0x00404f06
                                                            0x00404f10
                                                            0x00404f13
                                                            0x00404f1d
                                                            0x00404f22
                                                            0x00404f24
                                                            0x00404f27
                                                            0x00404f2a
                                                            0x00404f30
                                                            0x00404fca
                                                            0x00404fca
                                                            0x00404fd1
                                                            0x00404fd4
                                                            0x00404fda
                                                            0x00404fdd
                                                            0x00404fe0
                                                            0x00404fe5
                                                            0x00404fe9
                                                            0x00404fea
                                                            0x00404ff6
                                                            0x00404ffd
                                                            0x00405002
                                                            0x00405008
                                                            0x0040500b
                                                            0x00405013
                                                            0x00405018
                                                            0x0040501b
                                                            0x00000000
                                                            0x00000000
                                                            0x00405023
                                                            0x00405025
                                                            0x00405028
                                                            0x0040502b
                                                            0x0040502d
                                                            0x00405034
                                                            0x00405037
                                                            0x0040503d
                                                            0x00405040
                                                            0x00405046
                                                            0x00405049
                                                            0x0040504c
                                                            0x0040504f
                                                            0x00405053
                                                            0x00405053
                                                            0x00405053
                                                            0x00405037
                                                            0x00405056
                                                            0x0040505d
                                                            0x00405062
                                                            0x00405065
                                                            0x0040507e
                                                            0x0040507e
                                                            0x0040507f
                                                            0x00405067
                                                            0x0040506f
                                                            0x00405072
                                                            0x00405075
                                                            0x00405075
                                                            0x00405082
                                                            0x00405086
                                                            0x00405089
                                                            0x00405093
                                                            0x00405096
                                                            0x00405099
                                                            0x0040509e
                                                            0x004050a5
                                                            0x004050a5
                                                            0x004050aa
                                                            0x004050ae
                                                            0x00000000
                                                            0x004050b0
                                                            0x004050b3
                                                            0x004050b9
                                                            0x004050bc
                                                            0x004050c2
                                                            0x004050c5
                                                            0x004050c8
                                                            0x00404fc8
                                                            0x00404fc8
                                                            0x00000000
                                                            0x004050ce
                                                            0x00000000
                                                            0x004050ce
                                                            0x004050c8
                                                            0x00000000
                                                            0x004050ae
                                                            0x00000000
                                                            0x00404f36
                                                            0x00404f36
                                                            0x00404f3a
                                                            0x00404f3f
                                                            0x00404f42
                                                            0x00404f4a
                                                            0x00404f4c
                                                            0x00404f51
                                                            0x00404f56
                                                            0x00404f58
                                                            0x00404f5b
                                                            0x00404f66
                                                            0x00404f69
                                                            0x00404f72
                                                            0x00404f74
                                                            0x00404f79
                                                            0x00404f79
                                                            0x00404f79
                                                            0x00404f5b
                                                            0x00404f7e
                                                            0x00404f84
                                                            0x004050d3
                                                            0x004050d3
                                                            0x00000000
                                                            0x00404f8a
                                                            0x00404f8a
                                                            0x00404f8d
                                                            0x00404f91
                                                            0x00404f94
                                                            0x00404f9c
                                                            0x004050e9
                                                            0x004050eb
                                                            0x004050ed
                                                            0x004050f9
                                                            0x004050fe
                                                            0x004050fe
                                                            0x004050fe
                                                            0x004050ed
                                                            0x00404fa2
                                                            0x00404fa2
                                                            0x00404fa7
                                                            0x00404fad
                                                            0x00404fae
                                                            0x00404fb7
                                                            0x00000000
                                                            0x00000000
                                                            0x00404fbd
                                                            0x00404fc1
                                                            0x00000000
                                                            0x00000000
                                                            0x00404fc3
                                                            0x00000000
                                                            0x00404fc1
                                                            0x004050d8
                                                            0x004050d8
                                                            0x004050dc
                                                            0x004050dc
                                                            0x004050e1
                                                            0x004050e5
                                                            0x00000000
                                                            0x004050e7
                                                            0x004050e5
                                                            0x00404f9c
                                                            0x00404f84
                                                            0x00405101
                                                            0x00405106

                                                            APIs
                                                            • __EH_prolog3_GS.LIBCMT ref: 00404EF9
                                                              • Part of subcall function 00408A61: __CxxThrowException@8.LIBCMT ref: 00408A8C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: Exception@8H_prolog3_Throw
                                                            • String ID: $d3B
                                                            • API String ID: 2985221223-198493696
                                                            • Opcode ID: a7477b0c66efa75ac5070eb5991b92a02dcb652aca25504d8e2e9fb72b76feb2
                                                            • Instruction ID: 2a29051ba39229ac5af4f25dd9e29a3bb43660fb59363973aee6b4079977c564
                                                            • Opcode Fuzzy Hash: a7477b0c66efa75ac5070eb5991b92a02dcb652aca25504d8e2e9fb72b76feb2
                                                            • Instruction Fuzzy Hash: 30612E71E006189BCF14EFAAC4819EEBBB5FF54314B10412FE855B7295CB38A951CFA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409724, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00409724(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t33;
				WCHAR* _t35;
				signed int _t36;
				signed int _t40;
				void* _t42;
				void* _t44;
				void* _t46;
				WCHAR* _t55;
				WCHAR* _t58;
				signed short* _t67;
				signed int _t69;
				void* _t71;

				_push(0x30);
				E00416B21(E00421683, __ebx, __edi, __esi);
				_t33 =  *((intOrPtr*)(_t71 + 0xc));
				 *(_t33 + 4) =  *(_t33 + 4) & 0x00000000;
				_t67 =  *(_t71 + 8);
				 *((short*)( *_t33)) = 0;
				_t35 = E0040116F(_t67);
				_t69 =  *_t67 & 0x0000ffff;
				_t55 = _t35;
				if(_t55 < 1 || _t69 == 0x5c || _t69 == 0x2e && (_t55 == 1 || _t55 == 2 && _t67[1] == _t69)) {
					L19:
					_t36 = 1;
					goto L20;
				} else {
					E0040320A(_t71 - 0x18);
					 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
					if(_t55 <= 3 || _t67[1] != 0x3a || _t67[2] != 0x5c) {
						L12:
						if( *((intOrPtr*)(_t71 - 0x10)) <= 0x105) {
							E0040110F(_t71 - 0x18, _t71, 0x105);
						}
						_t55 =  *(_t71 - 0x18);
						_t69 = GetCurrentDirectoryW(0x105, _t55);
						_t40 = E0040116F(_t55);
						_t58 =  &(_t55[_t40]);
						 *_t58 = 0;
						 *(_t71 - 0x14) = _t40;
						if(_t69 == 0 || _t69 > 0x104) {
							_push(_t55);
							L00408BFB(_t55, _t67, _t69, __eflags);
							_t36 = 0;
							L20:
							return E00416BF9(_t36);
						} else {
							_t90 =  *((short*)(_t58 - 2)) - 0x5c;
							if( *((short*)(_t58 - 2)) != 0x5c) {
								E00408670(_t71 - 0x18, 0, _t90, 0x5c);
							}
							goto L18;
						}
					} else {
						if(_t69 < 0x61 || _t69 > 0x7a) {
							if(_t69 <= 0x19) {
								goto L18;
							}
							goto L12;
						} else {
							L18:
							_t42 = E00401647(_t71 - 0x3c, _t71, L"\\\\?\\");
							_push(_t71 - 0x18);
							_push(_t42);
							_push(_t71 - 0x30);
							 *(_t71 - 4) = 1;
							_t44 = E004096A4(_t55, _t67, _t69, _t90);
							_push(_t67);
							_push(_t44);
							_push(_t71 - 0x24);
							 *(_t71 - 4) = 2;
							_t46 = E004096E4(_t55, 0, _t67, _t69, _t90);
							 *(_t71 - 4) = 3;
							E00408639( *((intOrPtr*)(_t71 + 0xc)), _t71, _t46);
							_push( *((intOrPtr*)(_t71 - 0x24)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *((intOrPtr*)(_t71 - 0x30)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *((intOrPtr*)(_t71 - 0x3c)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *(_t71 - 0x18));
							L00408BFB(_t55, _t67, _t69, _t90);
							goto L19;
						}
					}
				}
			}















                                                            0x00409724
                                                            0x0040972b
                                                            0x00409730
                                                            0x00409733
                                                            0x00409739
                                                            0x0040973f
                                                            0x00409742
                                                            0x00409747
                                                            0x0040974a
                                                            0x0040974f
                                                            0x00409861
                                                            0x00409861
                                                            0x00000000
                                                            0x0040977d
                                                            0x00409780
                                                            0x00409785
                                                            0x0040978c
                                                            0x004097b1
                                                            0x004097b9
                                                            0x004097bf
                                                            0x004097bf
                                                            0x004097c4
                                                            0x004097d0
                                                            0x004097d2
                                                            0x004097d9
                                                            0x004097dc
                                                            0x004097df
                                                            0x004097e4
                                                            0x0040986b
                                                            0x0040986c
                                                            0x00409872
                                                            0x00409863
                                                            0x00409868
                                                            0x004097f2
                                                            0x004097f2
                                                            0x004097f7
                                                            0x004097fe
                                                            0x004097fe
                                                            0x00000000
                                                            0x004097f7
                                                            0x0040979c
                                                            0x004097a0
                                                            0x004097af
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00409803
                                                            0x00409803
                                                            0x0040980b
                                                            0x00409813
                                                            0x00409814
                                                            0x00409818
                                                            0x00409819
                                                            0x0040981d
                                                            0x00409822
                                                            0x00409823
                                                            0x00409827
                                                            0x00409828
                                                            0x0040982c
                                                            0x00409835
                                                            0x00409839
                                                            0x0040983e
                                                            0x00409841
                                                            0x00409846
                                                            0x00409849
                                                            0x0040984e
                                                            0x00409851
                                                            0x00409856
                                                            0x00409859
                                                            0x00000000
                                                            0x0040985e
                                                            0x004097a0
                                                            0x0040978c

                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 0040972B
                                                            • GetCurrentDirectoryW.KERNEL32(00000105,?,00000000,00000030,00409885,004092CF,004092CF,?,004092CF,?,?), ref: 004097C9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryH_prolog3
                                                            • String ID: \\?\
                                                            • API String ID: 1178058307-4282027825
                                                            • Opcode ID: f118a3f3290672144fe87a09f6360a8fcc3ebba0e06e33764bf4dd8cc817b3bd
                                                            • Instruction ID: 7bce271ab9a2bc83a85faa0d6a69cb040a839cacd886d03d576964d627563978
                                                            • Opcode Fuzzy Hash: f118a3f3290672144fe87a09f6360a8fcc3ebba0e06e33764bf4dd8cc817b3bd
                                                            • Instruction Fuzzy Hash: 3531B172C10215AACB24FBA5C886AEFB778AF15304F10843FE104772E3DB795E858799
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041DF34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041DF34() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x4341a0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x4341a0 = _t5;
				}
				_t6 = E0041AE0D(_t5, 4);
				 *0x433180 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x42dda0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x42e020) {
							break;
						}
						_t6 =  *0x433180; // 0x23320e0
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x42ddb0;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x4341c0 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x42de10);
					return 0;
				} else {
					 *0x4341a0 = _t26;
					_t6 = E0041AE0D(_t26, 4);
					 *0x433180 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}













                                                            0x0041df34
                                                            0x0041df3c
                                                            0x0041df3f
                                                            0x0041df4a
                                                            0x0041df4c
                                                            0x00000000
                                                            0x0041df4c
                                                            0x0041df41
                                                            0x0041df41
                                                            0x0041df4e
                                                            0x0041df4e
                                                            0x0041df4e
                                                            0x0041df56
                                                            0x0041df5d
                                                            0x0041df64
                                                            0x0041df84
                                                            0x0041df84
                                                            0x0041df86
                                                            0x0041df92
                                                            0x0041df92
                                                            0x0041df95
                                                            0x0041df98
                                                            0x0041dfa1
                                                            0x00000000
                                                            0x00000000
                                                            0x0041df8d
                                                            0x0041df8d
                                                            0x0041dfa5
                                                            0x0041dfa6
                                                            0x0041dfa8
                                                            0x0041dfae
                                                            0x0041dfc2
                                                            0x0041dfc8
                                                            0x0041dfd2
                                                            0x0041dfd2
                                                            0x0041dfd4
                                                            0x0041dfd7
                                                            0x0041dfd8
                                                            0x0041dfe4
                                                            0x0041df66
                                                            0x0041df69
                                                            0x0041df6f
                                                            0x0041df76
                                                            0x0041df7d
                                                            0x00000000
                                                            0x0041df7f
                                                            0x0041df81
                                                            0x0041df83
                                                            0x0041df83
                                                            0x0041df7d

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __calloc_crt
                                                            • String ID: B
                                                            • API String ID: 3494438863-2386870291
                                                            • Opcode ID: 9f15f0925eca237c65d6fa70714d8e4b72b97ca9536b99fd2ee5f47634c721da
                                                            • Instruction ID: 57d23638a4b1109f3cac8a2ec3f751d66eb44c115c110b22eca0b43510dbea81
                                                            • Opcode Fuzzy Hash: 9f15f0925eca237c65d6fa70714d8e4b72b97ca9536b99fd2ee5f47634c721da
                                                            • Instruction Fuzzy Hash: B411A7B1B08A105BEB188E1DBC406E62781AB94338B64423FF117CB2D0E73CD9C2868D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004190E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E004190E1(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00416A60(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00418908(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00418908(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00416A39(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00418E79(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                                                            0x004190e1
                                                            0x004190e1
                                                            0x004190e1
                                                            0x004190e1
                                                            0x004190e1
                                                            0x004190e4
                                                            0x004190ea
                                                            0x004190f8
                                                            0x004190fe
                                                            0x00419106
                                                            0x00419112
                                                            0x0041911a
                                                            0x00419122
                                                            0x00419136
                                                            0x00419138
                                                            0x0041913c
                                                            0x00419141
                                                            0x00419147
                                                            0x00419149
                                                            0x0041914b
                                                            0x0041914e
                                                            0x00000000
                                                            0x00419155
                                                            0x00419149
                                                            0x0041913c
                                                            0x00419136
                                                            0x00419122
                                                            0x00419156

                                                            APIs
                                                              • Part of subcall function 00416A60: __getptd.LIBCMT ref: 00416A66
                                                              • Part of subcall function 00416A60: __getptd.LIBCMT ref: 00416A76
                                                            • __getptd.LIBCMT ref: 004190F0
                                                              • Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
                                                              • Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918
                                                            • __getptd.LIBCMT ref: 004190FE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.440684225.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.440671036.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440715556.0000000000423000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440731657.000000000042C000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440745631.0000000000435000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440756125.0000000000438000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_LI180_win-1.jbxd
                                                            Similarity
                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                            • String ID: csm
                                                            • API String ID: 803148776-1018135373
                                                            • Opcode ID: 50699f1a80890500d77e109498acb33ef47d3a8ec0fa8618813f53853dd35842
                                                            • Instruction ID: 862809d12b44138affb2cba2f23c5514b0f11f00af2c3c7d3a6141e5c4f9d8c0
                                                            • Opcode Fuzzy Hash: 50699f1a80890500d77e109498acb33ef47d3a8ec0fa8618813f53853dd35842
                                                            • Instruction Fuzzy Hash: 90014F34801206AAEF349F66E5686EEB7B5AF11351F55481FE08166351CB388DC4CB8D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: LI-180_Installer.exe PID: 6704 Parent PID: 6472 LI-180_Installer.exeCOMMON

                                                            Executed Functions

                                                            Function 0040CB30, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040CBF0,?,?), ref: 0040CB62
                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040CBF0,?,?), ref: 0040CB6B
                                                              • Part of subcall function 0040C9F8: FindFirstFileW.KERNEL32(00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA2B
                                                              • Part of subcall function 0040C9F8: FindClose.KERNEL32(00000000,00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA3B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                            • String ID:
                                                            • API String ID: 3216391948-0
                                                            • Opcode ID: a3ef9113332cd4f103a8e4d8192339c8c971ca8cadefcb096335637e5080e2e5
                                                            • Instruction ID: 8f8425ef7e003197c548934d68529d5866815bad13d550064fd740d453593948
                                                            • Opcode Fuzzy Hash: a3ef9113332cd4f103a8e4d8192339c8c971ca8cadefcb096335637e5080e2e5
                                                            • Instruction Fuzzy Hash: FA119370A042099BDB00EBA5D982AADB3B5EF45304F50057EF514F72D1DB786E05C659
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C9F8, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA2B
                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA3B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 9e1dfe6f42f38fe5fee79ec9a6cfd20d37323d4e53de93dc210a85409fa04306
                                                            • Instruction ID: 2d6f6286354a10e5bc494812b8926dfd1e7cb371c99a917dddbeb77f05d97bc8
                                                            • Opcode Fuzzy Hash: 9e1dfe6f42f38fe5fee79ec9a6cfd20d37323d4e53de93dc210a85409fa04306
                                                            • Instruction Fuzzy Hash: 8DF0B430600208AFC710FF75CD52A4DB3ECDB443147A00576B404F22C1EA389E00995C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424B48, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834), ref: 00424B63
                                                            • GetLastError.KERNEL32(00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834), ref: 00424B88
                                                              • Part of subcall function 00424AC0: FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                              • Part of subcall function 00424AC0: FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                              • Part of subcall function 00424BBC: FindClose.KERNEL32(?,?,00424B86,00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000), ref: 00424BC8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                                                            • String ID:
                                                            • API String ID: 976985129-0
                                                            • Opcode ID: 2e5de55aafeed0e3f81a13e10239d89ebfd0b8ad6166b697f13ed275721c6c72
                                                            • Instruction ID: 129b9a8e3a804e3a0b789ce555aedcb953d3dbc06cbad93d92fb841f598433eb
                                                            • Opcode Fuzzy Hash: 2e5de55aafeed0e3f81a13e10239d89ebfd0b8ad6166b697f13ed275721c6c72
                                                            • Instruction Fuzzy Hash: 96E065B6B01130074754ABBE68816AA55C8C9C8375359027FB915DB346D52CCC0647D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0082D304, Relevance: 67.4, APIs: 8, Strings: 30, Instructions: 882COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 82d304-82d307 1 82d30c-82d311 0->1 1->1 2 82d313-82db44 call 40d840 GetVersionExW call 727670 call 408e24 call 5a7044 call 424db0 call 59697c call 409204 call 404d7c call 424d14 call 424ea8 call 409204 call 5a7220 call 409204 * 2 call 42490c call 40a184 call 409f28 LoadLibraryW call 40a184 * 2 call 8185b0 FreeLibrary call 40a20c GetCommandLineW call 409f80 call 42bc54 * 3 call 40a39c call 42c440 call 408e24 * 2 call 404d1c call 408e24 call 404d1c * 4 call 67476c * 2 1->2 90 82db46-82db82 call 423c40 call 40a20c call 59ec3c 2->90 97 82db84-82e0a4 call 423c40 call 40a20c call 42490c call 67476c * 3 call 7d91f0 call 5a7044 call 405310 call 406390 call 4055d8 call 67476c * 2 call 4048ec call 7d91f0 call 405514 call 7d91f0 call 405514 call 405554 call 40a184 call 405310 call 4063ac call 7d91f0 call 405534 call 405554 call 404908 call 67476c * 2 call 40714c call 456b80 * 5 call 40a184 call 405384 call 404fb8 call 4055ac call 4060e8 call 406214 90->97 181 82e0cf-82e0de call 40a31c 97->181 184 82e0e0-82e0f9 call 4060e8 call 406214 181->184 185 82e0a6-82e0c0 call 4060e8 181->185 194 82e124-82e133 call 40a31c 184->194 191 82e0c5-82e0ca call 406214 185->191 191->181 197 82e135-82e14e call 4060e8 call 406214 194->197 198 82e0fb-82e11f call 4060e8 call 406214 194->198 207 82e179-82e188 call 40a31c 197->207 198->194 210 82e150-82e174 call 4060e8 call 406214 207->210 211 82e18a 207->211 210->207 212 82e1ac-82e1bc 211->212 216 82e1be 212->216 217 82e18c-82e1a7 212->217 220 82e1e0-82e1f0 216->220 217->212 223 82e1f2-82e20b call 4060e8 call 406214 220->223 224 82e1c0-82e1db 220->224 230 82e236-82e245 call 40a31c 223->230 224->220 233 82e247-82e2ba call 4060e8 call 406214 call 4060e8 call 406214 call 409204 call 456b80 call 4060e8 call 406214 230->233 234 82e20d-82e231 call 4060e8 call 406214 230->234 255 82e2e7-82e2f6 call 40a31c 233->255 234->230 258 82e2f8-82e3ad call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 255->258 259 82e2bc-82e2e2 call 4060e8 call 406214 255->259 292 82e3da-82e3e9 call 40a31c 258->292 259->255 295 82e3eb-82e404 call 4060e8 call 406214 292->295 296 82e3af-82e3d5 call 4060e8 call 406214 292->296 304 82e42f-82e43e call 40a31c 295->304 296->292 308 82e440-82e475 call 405c54 call 406214 call 4060e8 call 406214 304->308 309 82e406-82e42a call 4060e8 call 406214 304->309 322 82e4a2-82e4b1 call 40a31c 308->322 309->304 325 82e4b3-82e4e6 call 4060e8 call 406214 call 4060e8 call 406214 322->325 326 82e477-82e49d call 4060e8 call 406214 322->326 339 82e513-82e522 call 40a31c 325->339 326->322 342 82e524-82e587 call 4060e8 call 406214 call 40a31c call 4060e8 call 406214 call 4060e8 call 406214 339->342 343 82e4e8-82e50e call 4060e8 call 406214 339->343 362 82e5b4-82e5c3 call 40a31c 342->362 343->339 365 82e5c5-82e5de call 4060e8 call 406214 362->365 366 82e589-82e5af call 4060e8 call 406214 362->366 374 82e60b-82e61a call 40a31c 365->374 366->362 378 82e5e0-82e606 call 4060e8 call 406214 374->378 379 82e61c-82e649 call 40b2cc call 406214 call 4060e8 call 406214 374->379 378->374 392 82e676-82e685 call 40a31c 379->392 395 82e687-82e6bf call 40b2cc call 406214 call 4060e8 call 406214 392->395 396 82e64b-82e671 call 4060e8 call 406214 392->396 409 82e6ec-82e6fb call 40a31c 395->409 396->392 412 82e6c1-82e6e7 call 4060e8 call 406214 409->412 413 82e6fd-82ed4b call 405554 call 452328 call 40a184 call 409f28 call 409f80 call 424bd8 call 67476c * 2 call 59ebec call 76839c call 67476c * 2 call 40a20c call 409f28 call 40a20c call 409f28 CopyFileW call 40a20c call 409f28 SetFileAttributesW call 40a20c call 409f28 call 40a20c call 409f28 CopyFileW call 40a20c call 409f28 SetFileAttributesW call 67476c call 40a184 call 409204 call 67476c call 730edc call 67476c * 3 call 40a20c call 7e3900 409->413 412->409
                                                            APIs
                                                            • GetVersionExW.KERNEL32(00858B3C,00000000,0082D434,?,00000000,0082EED8,?,?,?,?,00000028,00000000,00000000), ref: 0082D34C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Version
                                                            • String ID: </Dialogs>$ </ExtractArchive>$ </GlobalLists>$ </ResourcePath>$ </StubData>$ </StubSize>$ </SupportDir>$ <Dialogs>$ <ExtractArchive>$ <GlobalLists>$ <ResourcePath>$ <StubData>$ <StubSize>$ <SupportDir>$ </SetupSplash>$ <RunScript>$ <SetupSplash>$$DOLLAR$$$WILD_DOLLAR$$.msi$.msp$.res$<InstallAware>$TRUE$data\$dxD$lang.loc$mia$mia.lib$mia.tmp
                                                            • API String ID: 1889659487-1851809426
                                                            • Opcode ID: 88da696c5d52c7143d72535e4f61e86aa89cda9e77d0a0f632c86962c6c128fc
                                                            • Instruction ID: da3f706e8fad9170a8dfdb118e7f0e5f4ab879b6b969e9938d5adb5aa6c1a0e2
                                                            • Opcode Fuzzy Hash: 88da696c5d52c7143d72535e4f61e86aa89cda9e77d0a0f632c86962c6c128fc
                                                            • Instruction Fuzzy Hash: 06720F74640214CFCB00FBE9E85594937A5FB85316B50407BFA06FB362DE399C49CB9A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C628, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 174registrystringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040C84D,?,?), ref: 0040C661
                                                            • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,0040C84D,?,?), ref: 0040C67D
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,0040C84D,?,?), ref: 0040C6AA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,0040C84D), ref: 0040C6CC
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?), ref: 0040C6EA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040C708
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040C726
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040C744
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000), ref: 0040C784
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001), ref: 0040C7AF
                                                            • RegCloseKey.ADVAPI32(?,0040C837,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001,Software\Embarcadero\Locales), ref: 0040C82A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open$QueryValue$CloseFileModuleNamelstrcpyn
                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                            • API String ID: 512384800-3496071916
                                                            • Opcode ID: bdac962312e14bf69b4cb6d8ebe2f4f8c797028779bae34ed630296ed3d58d69
                                                            • Instruction ID: bd9ab06692e8d258f654d8dc2864fdf92ebb3c8a55c2e1fb3935c138dac9bbb8
                                                            • Opcode Fuzzy Hash: bdac962312e14bf69b4cb6d8ebe2f4f8c797028779bae34ed630296ed3d58d69
                                                            • Instruction Fuzzy Hash: 62512675A40209FEEB10FB95CD86FAF73ACDB08705F60457BB604F61C1D6B89A448A5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D88C, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 528 40d88c-40d926 call 40dd3c call 40dd4c call 40dd5c call 40dd6c * 3 541 40d950-40d95d 528->541 542 40d928-40d94b RaiseException 528->542 544 40d962-40d982 541->544 545 40d95f 541->545 543 40db60-40db66 542->543 546 40d984-40d993 call 40dd7c 544->546 547 40d995-40d99d 544->547 545->544 549 40d9a0-40d9a9 546->549 547->549 551 40d9c2-40d9c4 549->551 552 40d9ab-40d9bb 549->552 553 40da86-40da90 551->553 554 40d9ca-40d9d1 551->554 552->551 564 40d9bd 552->564 557 40daa0-40daa2 553->557 558 40da92-40da9e 553->558 555 40d9e1-40d9e3 554->555 556 40d9d3-40d9df 554->556 560 40d9f0-40d9f2 555->560 561 40d9e5-40d9ee LoadLibraryA 555->561 556->555 562 40daa4-40daa8 557->562 563 40daef-40daf1 557->563 558->557 568 40d9f4-40da03 GetLastError 560->568 569 40da3f-40da4b call 40d734 560->569 561->560 571 40dae3-40daed GetProcAddress 562->571 572 40daaa-40daae 562->572 565 40daf3-40db02 GetLastError 563->565 566 40db39-40db3c 563->566 573 40db3e-40db45 564->573 574 40db12-40db14 565->574 575 40db04-40db10 565->575 566->573 576 40da13-40da15 568->576 577 40da05-40da11 568->577 586 40da80-40da81 FreeLibrary 569->586 587 40da4d-40da51 569->587 571->563 572->571 580 40dab0-40dabb 572->580 578 40db47-40db56 573->578 579 40db5e 573->579 574->566 582 40db16-40db36 RaiseException 574->582 575->574 576->569 583 40da17-40da3a RaiseException 576->583 577->576 578->579 579->543 580->571 584 40dabd-40dac3 580->584 582->566 583->543 584->571 590 40dac5-40dad2 584->590 586->553 587->553 591 40da53-40da61 LocalAlloc 587->591 590->571 592 40dad4-40dadf 590->592 591->553 593 40da63-40da7e 591->593 592->571 594 40dae1 592->594 593->553 594->566
                                                            APIs
                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D944
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 1f3db080524931f2a71b78ac2fbcba56dfaf1e55a97ed4bd4606fe5a50a1f930
                                                            • Instruction ID: f1754b9a30898a739949526b4897abeae061c25df43582866fa3238b20cb1580
                                                            • Opcode Fuzzy Hash: 1f3db080524931f2a71b78ac2fbcba56dfaf1e55a97ed4bd4606fe5a50a1f930
                                                            • Instruction Fuzzy Hash: EBA14AB5E002099FDB11DFE8D880BAEB7B5BB48310F14453AE905B7390DB78A949CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A8ED0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 149COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 005A8F2D
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,0000002B,?,00000000,005A9083,?,00000000,005A90AD,?,?,?,?,00000000,00000000,?,007D8754), ref: 005A8F33
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DesktopFolderLocationSpecialWindow
                                                            • String ID: &$CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 712084180-1915935699
                                                            • Opcode ID: e6e4c29796e67ea4c0d594db5d4910fbf98424d5f6c27b1277bb27276f8e460d
                                                            • Instruction ID: 8033c48627882e4f97e082b97ef3ea09083225c8ea2392c17a415e286cff22ce
                                                            • Opcode Fuzzy Hash: e6e4c29796e67ea4c0d594db5d4910fbf98424d5f6c27b1277bb27276f8e460d
                                                            • Instruction Fuzzy Hash: 0F515570A002099FCB14EFA5D8869AEBBF5FF8A304F5184BAF500B7651DB38AD44CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005582B4, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 656 5582b4-5582de 657 5582e4-558312 call 456b80 call 408e24 GetKeyboardLayoutList 656->657 658 558440-55845e call 408e24 656->658 665 55842f-55843b call 456abc 657->665 666 558318-558322 657->666 665->658 667 558325-558331 call 5912e8 666->667 671 558337-558379 call 425780 RegOpenKeyExW 667->671 672 558422-558429 667->672 671->672 675 55837f-5583b3 RegQueryValueExW 671->675 672->665 672->667 676 5583b5-5583ec call 409fd4 675->676 677 558404-55841a RegCloseKey 675->677 676->677 681 5583ee-5583ff call 409fd4 676->681 677->672 681->677
                                                            APIs
                                                            • GetKeyboardLayoutList.USER32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0055845F), ref: 0055830A
                                                            • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000000,00020019,?,00000040,?), ref: 00558372
                                                            • RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200), ref: 005583AC
                                                            • RegCloseKey.ADVAPI32(?,00558422,00000000,?,00000200), ref: 00558415
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                            • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$dxD$layout text
                                                            • API String ID: 1703357764-864307836
                                                            • Opcode ID: fb60a5df295c957eb0404e5f092a3a367a012dbe6ae5ca88890075726c5c1705
                                                            • Instruction ID: 1a5b79140d81652e6158ed355ff87afb49eefd5a88f3e5e2b5d4434e5af8b85a
                                                            • Opcode Fuzzy Hash: fb60a5df295c957eb0404e5f092a3a367a012dbe6ae5ca88890075726c5c1705
                                                            • Instruction Fuzzy Hash: EA416874A00209DFDB51DB95C991BAEB7F9FB08308F9040A6E904E7252DB74AE08CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A7058, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SHGetPathFromIDListW.SHELL32(0000002B,?), ref: 005A708D
                                                            • SHGetPathFromIDListW.SHELL32(0000002B,?), ref: 005A709E
                                                            • LoadLibraryW.KERNEL32(shell32.dll,00000000,005A71B5,?,?,?,?,00000003,00000000,00000000,?,005A901E,00000000,0000002B,?,00000000), ref: 005A70E3
                                                            • FreeLibrary.KERNEL32(?,?,SHGetPathFromIDListW,shell32.dll,00000000,005A71B5,?,?,?,?,00000003,00000000,00000000,?,005A901E,00000000), ref: 005A7117
                                                            • GetShortPathNameW.KERNEL32 ref: 005A7123
                                                              • Part of subcall function 0042483C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Path$FromLibraryList$AttributesFileFreeLoadNameShort
                                                            • String ID: SHGetPathFromIDListW$shell32.dll
                                                            • API String ID: 1716935149-4041819787
                                                            • Opcode ID: 67e6b3a5649a6259728fbc9b5a399fb55a16764e01cf6bdf8cd1fb77ff14f941
                                                            • Instruction ID: f24a0c27f4c5aba1ac8d85e4b6caa0744ba60476e8af1ded39079c374a10dff6
                                                            • Opcode Fuzzy Hash: 67e6b3a5649a6259728fbc9b5a399fb55a16764e01cf6bdf8cd1fb77ff14f941
                                                            • Instruction Fuzzy Hash: BE41FF75B0420DABDB00EBA5CC429DEB7F9FF89308F51446AF500A7256DA789E05CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042483C, Relevance: 9.1, APIs: 6, Instructions: 77fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 728 42483c-42485c call 409f28 GetFileAttributesW 731 424862-424868 728->731 732 4248e3-4248eb GetLastError 728->732 733 42486a-424873 731->733 734 424878-42487c 731->734 735 4248fc-4248fe 732->735 736 4248ed-4248f0 732->736 737 424902-424909 733->737 738 42487e-424899 CreateFileW 734->738 739 4248ac-4248b2 734->739 735->737 736->735 740 4248f2-4248f5 736->740 738->737 741 42489b-4248aa CloseHandle 738->741 742 4248b4-4248b6 739->742 743 4248b8-4248d3 CreateFileW 739->743 740->735 744 4248f7-4248fa 740->744 741->737 742->737 745 4248d5-4248dd CloseHandle 743->745 746 4248df-4248e1 743->746 744->735 747 424900 744->747 745->737 746->737 747->737
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,00000001,0042498E,00000000,004249F7), ref: 00424891
                                                            • CloseHandle.KERNEL32(00000000,00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,00000001,0042498E,00000000), ref: 0042489C
                                                            • GetLastError.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 004248E3
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$AttributesCloseCreateErrorHandleLast
                                                            • String ID:
                                                            • API String ID: 2927643983-0
                                                            • Opcode ID: 020176eec5d6f42be7d37591b5f78666e78e28d94eb01a82540cde32f1bc8a49
                                                            • Instruction ID: dd33b6b9f81e07856ee37e0e43e0baa8863c9efe5c1a136613ce728169e39ad2
                                                            • Opcode Fuzzy Hash: 020176eec5d6f42be7d37591b5f78666e78e28d94eb01a82540cde32f1bc8a49
                                                            • Instruction Fuzzy Hash: 6511A379B5527828F53031B96C87BBB1149CBC2324FF9162BFB66BA2D1C19C5CC1611E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040345C, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 748 40345c-40346e 749 403474-403484 748->749 750 4036bc-4036c1 748->750 751 403486-403493 749->751 752 4034dc-4034e5 749->752 753 4037d4-4037d7 750->753 754 4036c7-4036d8 750->754 757 403495-4034a2 751->757 758 4034ac-4034b8 751->758 752->751 759 4034e7-4034f3 752->759 755 403204-40322d VirtualAlloc 753->755 756 4037dd-4037df 753->756 760 403680-40368d 754->760 761 4036da-4036f6 754->761 762 40325f-403265 755->762 763 40322f-40325c call 4031bc 755->763 766 4034a4-4034a8 757->766 767 4034cc-4034d9 757->767 768 403530-403539 758->768 769 4034ba-4034c8 758->769 759->751 771 4034f5-403501 759->771 760->761 770 40368f-403698 760->770 764 403704-403713 761->764 765 4036f8-403700 761->765 763->762 774 403715-403729 764->774 775 40372c-403734 764->775 773 403760-403776 765->773 776 403574-40357e 768->776 777 40353b-403548 768->777 770->760 778 40369a-4036ae Sleep 770->778 771->751 779 403503-40350f 771->779 787 403778-403786 773->787 788 40378f-40379b 773->788 774->773 782 403750-403752 call 403144 775->782 783 403736-40374e 775->783 785 4035f0-4035fc 776->785 786 403580-4035ab 776->786 777->776 784 40354a-403553 777->784 778->761 789 4036b0-4036b7 Sleep 778->789 779->752 780 403511-403521 Sleep 779->780 780->751 792 403527-40352e Sleep 780->792 793 403757-40375f 782->793 783->793 784->777 794 403555-403569 Sleep 784->794 790 403624-403633 call 403144 785->790 791 4035fe-403610 785->791 796 4035c4-4035d2 786->796 797 4035ad-4035bb 786->797 787->788 798 403788 787->798 799 4037bc 788->799 800 40379d-4037b0 788->800 789->760 810 403645-40367e 790->810 814 403635-40363f 790->814 801 403612 791->801 802 403614-403622 791->802 792->752 794->776 805 40356b-403572 Sleep 794->805 807 403640 796->807 808 4035d4-4035ee call 403078 796->808 797->796 806 4035bd 797->806 798->788 803 4037c1-4037d3 799->803 800->803 809 4037b2-4037b7 call 403078 800->809 801->802 802->810 805->777 806->796 807->810 808->810 809->803
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00403513
                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 00403529
                                                            • Sleep.KERNEL32(00000000), ref: 00403557
                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 0040356D
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 8a9437801f9726fcd377f658ca86df32b8242f6e17eb2e341aa84f4ed14406a7
                                                            • Instruction ID: 42d35f8e0f18d475b3391309c2a26d93bbc44a93d282e8ffa7c4ba0988d3562c
                                                            • Opcode Fuzzy Hash: 8a9437801f9726fcd377f658ca86df32b8242f6e17eb2e341aa84f4ed14406a7
                                                            • Instruction Fuzzy Hash: 8AC157B66017508FCB15CF28D888316BFA8BB86311F1882BFD4549B3D5D778DA81C789
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424594, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110timeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 817 424594-4245e3 call 409f28 GetFileAttributesExW 820 4245e5-4245ea call 4227fc 817->820 821 42463c-42463e 817->821 828 4245ef-4245f1 820->828 822 424640-42464f GetLastError 821->822 823 424671-424673 821->823 822->823 827 424651-424666 call 409f28 call 424548 822->827 825 424675-424679 823->825 826 424698-4246bf call 408e84 call 408e24 823->826 829 424693 825->829 830 42467b-42468a FileTimeToLocalFileTime 825->830 847 424668-42466d 827->847 848 42466f 827->848 828->821 833 4245f3-4245fd call 424fd0 828->833 829->826 830->826 834 42468c-424691 830->834 843 424622-42463b call 409f28 GetFileAttributesExW 833->843 844 4245ff-42461d call 424db0 call 42bbb4 call 40a184 833->844 834->826 843->821 844->843 847->823 848->823
                                                            APIs
                                                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 004245CE
                                                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424631
                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424640
                                                            • FileTimeToLocalFileTime.KERNEL32(?,FB,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424683
                                                              • Part of subcall function 004227FC: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00422849
                                                              • Part of subcall function 004227FC: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000001), ref: 0042287B
                                                              • Part of subcall function 004227FC: CloseHandle.KERNEL32(000000FF,004228C4,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000001), ref: 004228B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Attributes$Time$CloseCreateErrorHandleLastLocal
                                                            • String ID: FB
                                                            • API String ID: 3059364927-3670039715
                                                            • Opcode ID: 084c55364e15af505346aa0fcec3a07071e2199f11905a4858fbf33acedc5931
                                                            • Instruction ID: c1c51cff1122fcdef559ddd5f11acc2f09dee7b976e9a9c955d108d858b7bfa2
                                                            • Opcode Fuzzy Hash: 084c55364e15af505346aa0fcec3a07071e2199f11905a4858fbf33acedc5931
                                                            • Instruction Fuzzy Hash: 0631C971B00228ABDB10EBA5E981BEEB7A9EF85304F95016AF800E7381D77C5E058658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004247A4, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 854 4247a4-4247bd call 409f28 GetFileAttributesW 857 42480e-424818 GetLastError 854->857 858 4247bf-4247c2 854->858 861 42481a-42481d 857->861 862 42482f-424831 857->862 859 424807-42480c 858->859 860 4247c4-4247c6 858->860 864 424835-424838 859->864 865 4247c8-4247ca 860->865 866 4247cc-4247ce 860->866 861->862 863 42481f-424822 861->863 862->864 863->862 867 424824-42482d call 424764 863->867 865->864 868 4247d0-4247d2 866->868 869 4247d4-4247ec CreateFileW 866->869 867->862 874 424833 867->874 868->864 871 4247f8-424805 GetLastError 869->871 872 4247ee-4247f6 CloseHandle 869->872 871->864 872->864 874->864
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 004247B5
                                                            • GetLastError.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 0042480E
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 1799206407-0
                                                            • Opcode ID: 11423a4d9bf119b3a4665024e0baf30563eacf8fdec8ac240d4fb1c256c0a377
                                                            • Instruction ID: df278c05cb5f3b8655f05b97a3e56c02e352920f00e9e136846d1621e0c97303
                                                            • Opcode Fuzzy Hash: 11423a4d9bf119b3a4665024e0baf30563eacf8fdec8ac240d4fb1c256c0a377
                                                            • Instruction Fuzzy Hash: C001D43D3602F064DA3431793C867BA4585CFC67A8FB4191BFB62A72E1D78D4843A16E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424BD8, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 875 424bd8-424bf5 call 409f28 DeleteFileW 878 424bf7-424c07 GetLastError GetFileAttributesW 875->878 879 424c2d-424c33 875->879 880 424c27-424c28 SetLastError 878->880 881 424c09-424c0c 878->881 880->879 881->880 882 424c0e-424c10 881->882 882->880 883 424c12-424c25 call 409f28 RemoveDirectoryW 882->883 883->879
                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BE8
                                                            • GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BF7
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000), ref: 00424BFF
                                                            • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C1A
                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C28
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                            • String ID:
                                                            • API String ID: 2814369299-0
                                                            • Opcode ID: 0605bdfd3c34e5159f7918a983dba767ee52ea09f489b57a14fd5e5a3ae7dc66
                                                            • Instruction ID: 57235278477e78b329d2ce1c3220feee781b43d13fc81f95c73842f3904e5c96
                                                            • Opcode Fuzzy Hash: 0605bdfd3c34e5159f7918a983dba767ee52ea09f489b57a14fd5e5a3ae7dc66
                                                            • Instruction Fuzzy Hash: 03F0A76134365119DA10767F28C1EFE114CC9827AFB510B3BFA51D26E2DD5D4C46415D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0076889C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 886 76889c-768907 call 408f08 * 2 891 768947-768963 call 408e24 886->891 892 768909-768942 call 424db0 call 5a77e0 call 42bbb4 call 424ea8 call 40a184 886->892 897 768965-768967 891->897 898 76896c-76896e 891->898 892->891 897->898 900 768977-76897b 898->900 901 768970-768972 898->901 903 768985-768989 900->903 904 76897d-768980 900->904 901->900 906 768993-768997 903->906 907 76898b-76898e 903->907 904->903 910 7689a1-7689a3 906->910 911 768999-76899c 906->911 907->906 913 7689a5-7689ad call 5c96a4 910->913 914 7689b2-7689e1 call 409f28 * 2 OpenListArchive 910->914 911->910 913->914 922 7689e7-7689ec 914->922 923 768ac2-768ad9 GetLastArchiveError call 5c95c0 call 409204 914->923 924 7689f2-7689f4 922->924 925 768aab-768ac0 CloseListArchive call 408e24 922->925 938 768ade-768b1c 923->938 928 7689f6-768a08 call 409f80 924->928 929 768a0d-768a0f 924->929 925->938 928->929 934 768a11-768a24 call 423c40 929->934 935 768a29-768a2d 929->935 934->935 936 768a2f-768a46 call 423c68 935->936 937 768a4b-768a4f 935->937 936->937 943 768a51-768a68 call 423c68 937->943 944 768a6d-768a71 937->944 943->944 948 768a73-768a9b call 5c9660 call 428aa8 944->948 949 768aa0-768aa5 944->949 948->949 949->924 949->925
                                                            APIs
                                                            • OpenListArchive.MIA.LIB(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D,?,00000000), ref: 007689D5
                                                            • CloseListArchive.MIA.LIB(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D), ref: 00768AAF
                                                              • Part of subcall function 005C9660: FileTimeToLocalFileTime.KERNEL32(00000000,00768B1D,?,?), ref: 005C9677
                                                              • Part of subcall function 005C9660: FileTimeToDosDateTime.KERNEL32 ref: 005C9688
                                                            • GetLastArchiveError.MIA.LIB(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D,?,00000000), ref: 00768AC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Time$File$Archive.List$ArchiveCloseDateError.LastLocalOpen
                                                            • String ID: 0
                                                            • API String ID: 727730911-4108050209
                                                            • Opcode ID: 39598fb801144715d430ed12939dcc739c85c6989a4db3fca13b0d22688b50b9
                                                            • Instruction ID: e403871301572a310c12965a92a8fe37dd2a7e1fb090b3dc838229259ec1f960
                                                            • Opcode Fuzzy Hash: 39598fb801144715d430ed12939dcc739c85c6989a4db3fca13b0d22688b50b9
                                                            • Instruction Fuzzy Hash: 8D811870A00209DFCB01DF99D985ADEBBB6FF48304F54416AF805AB261CB78AD45CF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00595CDC, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFindFirst
                                                            • String ID: \*.*
                                                            • API String ID: 1974802433-1173974218
                                                            • Opcode ID: 3be14c2d8d1d77d037142b6a1f9ff44d141089ae18a6a13563cfbc3b435fd6d6
                                                            • Instruction ID: 1e61872390994e0bab9c5eff1998993cabc17d9ce8fbc3022cf4e5f77fadce7f
                                                            • Opcode Fuzzy Hash: 3be14c2d8d1d77d037142b6a1f9ff44d141089ae18a6a13563cfbc3b435fd6d6
                                                            • Instruction Fuzzy Hash: D4613B74A0462A9BDF61EB65CC4AB8CBBB5BB44304F5041EAF40CB2291EB355F958F09
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047725C, Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SetLastError.KERNEL32(00000000,?,?,?,005A723E,00000000,005A725E,?,?,00000000,?,0082D4AC,?,00000000,0082EED8), ref: 00477263
                                                            • GetTempPathW.KERNEL32(00000104,00000000,00000000,?,?,?,005A723E,00000000,005A725E,?,?,00000000,?,0082D4AC,?,00000000), ref: 00477281
                                                            • GetLongPathNameW.KERNEL32(00000000,00000000,00000000), ref: 00477298
                                                            • GetLongPathNameW.KERNEL32(00000000,00000000,00000000), ref: 004772AB
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Path$LongName$ErrorLastTemp
                                                            • String ID:
                                                            • API String ID: 1475991060-0
                                                            • Opcode ID: c1a9d14916921fc4882005c76447c95ddc0c88a49f784e3c695ba513b2c89dbf
                                                            • Instruction ID: e88bcbabdb9f1ec4bc983cdfe1743da0a5c73edf8f11bfb8c4fa61ea373dfb0a
                                                            • Opcode Fuzzy Hash: c1a9d14916921fc4882005c76447c95ddc0c88a49f784e3c695ba513b2c89dbf
                                                            • Instruction Fuzzy Hash: 0AF03031B0421117E610776B8C82FAB11D8CF82B99F40447FB604EF2D7D8BC8C4542AE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0076839C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1039 76839c-7683a0 1040 7683a5-7683aa 1039->1040 1040->1040 1041 7683ac-76847d call 408f08 * 3 call 40a8ac call 424db0 call 5a77e0 call 42bbb4 call 424ea8 call 40a184 call 5a77e0 call 42bbb4 call 40924c call 408e24 1040->1041 1068 7684d4-7684d6 1041->1068 1069 76847f-7684a9 call 456b80 call 76889c 1041->1069 1071 7684d9-76850f call 40b7d0 1068->1071 1075 7684ae-7684b0 1069->1075 1086 768573-768577 1071->1086 1087 768511 1071->1087 1077 7684b2-7684c7 call 40717c call 4085f0 1075->1077 1078 7684cc-7684d2 1075->1078 1088 7686ba-7686fc call 408e84 * 2 call 40a984 call 408e84 1077->1088 1078->1071 1089 76857d 1086->1089 1090 768579-76857b 1086->1090 1091 768516-76852f 1087->1091 1093 768582-768586 1089->1093 1090->1093 1100 768536-768571 call 4048ec call 409f28 call 5a6614 1091->1100 1101 768531-768534 1091->1101 1095 76858f 1093->1095 1096 768588-76858d 1093->1096 1099 768592-768596 1095->1099 1096->1099 1103 7685aa-7685ad 1099->1103 1104 768598-7685a8 call 5c96a4 1099->1104 1100->1086 1100->1091 1101->1100 1110 7685b0-7685b4 1103->1110 1104->1110 1113 7685c6 1110->1113 1114 7685b6-7685c4 call 5c9630 1110->1114 1115 7685c9-7685cd 1113->1115 1114->1115 1120 7685cf-7685d7 1115->1120 1121 7685d9-7685dc 1115->1121 1123 7685df-768612 call 409f28 * 3 ExtractArchive 1120->1123 1121->1123 1133 768614-76862c GetLastArchiveError call 5c95c0 call 409204 1123->1133 1134 76862e 1123->1134 1135 768632-768637 1133->1135 1134->1135 1137 76864e-76866a call 40b7d0 1135->1137 1138 768639 1135->1138 1147 768674-7686b2 1137->1147 1148 76866c-76866f call 40717c 1137->1148 1140 76863e-76864c call 404908 1138->1140 1140->1137 1147->1088 1148->1147
                                                            APIs
                                                            • ExtractArchive.MIA.LIB(00000000,00000001,00000000,?,00000001,00000000,?,00000000,00000000,00000000), ref: 0076860B
                                                            • GetLastArchiveError.MIA.LIB(00000000,00000001,00000000,?,00000001,00000000,?,00000000,00000000,00000000), ref: 00768614
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ArchiveArchive.Error.ExtractLast
                                                            • String ID: dxD
                                                            • API String ID: 1514603430-650693785
                                                            • Opcode ID: 9167f4d3a05935a17020eb8cb35b6a608bd2706dc96001d593abfc4359c4743e
                                                            • Instruction ID: e79ef44e2278ca16fdd0482ddfc8cc6e64af0794872f75f7ec4b65b490efbfd6
                                                            • Opcode Fuzzy Hash: 9167f4d3a05935a17020eb8cb35b6a608bd2706dc96001d593abfc4359c4743e
                                                            • Instruction Fuzzy Hash: 2AB14C70A002099FDB00DFA9D985BDEBBB5FF48314F10816AF811A7392DB38AD45CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047DB18, Relevance: 4.6, APIs: 3, Instructions: 150registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DB91
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DC07
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0047DC78
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 8b87bbcb1c312638584391afb04638c45478a71692b4e24da6abdee90267953f
                                                            • Instruction ID: 57266824f2d932d1ce5c4895c05120650e97fd81b45d18efe785b2f0bbc7b4cb
                                                            • Opcode Fuzzy Hash: 8b87bbcb1c312638584391afb04638c45478a71692b4e24da6abdee90267953f
                                                            • Instruction Fuzzy Hash: 28514030F10208AFDB12EBA5C942BDEB7F9AF48304F15846EA459E3382D6799F05D749
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408B54, Relevance: 4.6, APIs: 3, Instructions: 92threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408B85
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00408C26
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00408C62
                                                              • Part of subcall function 00408ABC: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AF5
                                                              • Part of subcall function 00408ABC: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AFB
                                                              • Part of subcall function 00408ABC: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?), ref: 00408B16
                                                              • Part of subcall function 00408ABC: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75), ref: 00408B1C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID:
                                                            • API String ID: 3490077880-0
                                                            • Opcode ID: 10eb5ef3f6e2d49a959dfc251fea70abf38e8027b0972acb9da723768b44e474
                                                            • Instruction ID: 7c56cf2e3186582e7483b00cd751aa50e1ff6530cd52687d5d3be0a2d44efa3c
                                                            • Opcode Fuzzy Hash: 10eb5ef3f6e2d49a959dfc251fea70abf38e8027b0972acb9da723768b44e474
                                                            • Instruction Fuzzy Hash: AF311970604B058AEB21AB798A5971B76F0AB55314F14093FE1C1A33D2DF7CA884CB5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00461CF4, Relevance: 4.6, APIs: 3, Instructions: 76threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(0046169C,00000004,00461694,?,?,?,?,?,?,?,?,?,?,00000000,00461DC8), ref: 00461D6C
                                                            • GetCurrentThread.KERNEL32 ref: 00461DA2
                                                            • GetCurrentThreadId.KERNEL32 ref: 00461DAA
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CurrentThread$ErrorLast
                                                            • String ID:
                                                            • API String ID: 4172138867-0
                                                            • Opcode ID: 46be740d89cc69737b72f33ab050cef0d7a29825237ef2d781c410190c1712a5
                                                            • Instruction ID: d81d373b76c93451c357402c9e60c1bf6b253b3e0664b98a1242fea6a3051ec2
                                                            • Opcode Fuzzy Hash: 46be740d89cc69737b72f33ab050cef0d7a29825237ef2d781c410190c1712a5
                                                            • Instruction Fuzzy Hash: 9F2103709047556EC301DB76CC41AAABBA9BB45304F48852FE850977E1EB7CB814CBAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004062B0, Relevance: 4.6, APIs: 3, Instructions: 69fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000,?,?,00000000,004063A9,0081861A,00000000,008186D2), ref: 0040634C
                                                            • GetStdHandle.KERNEL32(000000F5,?,?,00000000,004063A9,0081861A,00000000,008186D2,?,?,?,00000000,?,0082D52D,00000000,00000000), ref: 0040636C
                                                            • GetLastError.KERNEL32(000000F5,?,?,00000000,004063A9,0081861A,00000000,008186D2,?,?,?,00000000,?,0082D52D,00000000,00000000), ref: 00406380
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateErrorFileHandleLast
                                                            • String ID:
                                                            • API String ID: 1572049330-0
                                                            • Opcode ID: 0ecfb6fcaf6b047c2c800e5ce5bba984b39c90ca47f7306dcbf0570d46417eb6
                                                            • Instruction ID: a368fc4e3039d73de16522235d6a327499955573feef45f3402d5cf96f548e90
                                                            • Opcode Fuzzy Hash: 0ecfb6fcaf6b047c2c800e5ce5bba984b39c90ca47f7306dcbf0570d46417eb6
                                                            • Instruction Fuzzy Hash: DD1105612002008AE724AF58888871B7659EF81314F2AC37BEC0ABF3D5D67DCC5187EE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E88C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0047E8B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID: CommonFilesDir
                                                            • API String ID: 3660427363-2265253956
                                                            • Opcode ID: 251a255d2a67f89b6c844501079f28390cd893444f6671e183e0700de479fd03
                                                            • Instruction ID: 4adf3590c5a9773202cffc0e1bc81eb7fd8e28232d7c0278d08eb1294601ee21
                                                            • Opcode Fuzzy Hash: 251a255d2a67f89b6c844501079f28390cd893444f6671e183e0700de479fd03
                                                            • Instruction Fuzzy Hash: AE015275A00208AFC700EFA9DC81ADAB7A8DB49714F00816AF918D7342D6349E0487A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E294, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,0047E2FC,?,?,CommonFilesDir,00000000,0047E2FC), ref: 0047E2C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID: CommonFilesDir
                                                            • API String ID: 3660427363-2265253956
                                                            • Opcode ID: 3028f5571a06ce3ac170fd1c26d1d7cab3a52f1c5851f32da90a4e8d191c3a6b
                                                            • Instruction ID: d6b6cd4c5dc22c8d45e1f2ef645a66dda0b0fdbf6d8587e89431dd27c8b70314
                                                            • Opcode Fuzzy Hash: 3028f5571a06ce3ac170fd1c26d1d7cab3a52f1c5851f32da90a4e8d191c3a6b
                                                            • Instruction Fuzzy Hash: 59F030767041006FD704EA6E9C81F9B67DCDB88714F10843FB25CD7242D928CC058369
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047D9E4, Relevance: 3.1, APIs: 2, Instructions: 98registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DAF5,?,?,00000000), ref: 0047DA5E
                                                            • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,0047DAF5,?,?,00000000), ref: 0047DA98
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateOpen
                                                            • String ID:
                                                            • API String ID: 436179556-0
                                                            • Opcode ID: 9a1e1138cb2937812503d6dad519492d49e6a590dd7c3e42ad58e0a73a4d9705
                                                            • Instruction ID: 15b4c6f32ebf0bcf6cadd7e3f265dedb114a34a479296194b3a9dab7f0d7ab52
                                                            • Opcode Fuzzy Hash: 9a1e1138cb2937812503d6dad519492d49e6a590dd7c3e42ad58e0a73a4d9705
                                                            • Instruction Fuzzy Hash: 92318130F14208AFDB11EBA5C842BDEB3F9AF48304F5084BAA419E7282D6789F058759
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CBFC, Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0040CD09,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CD92,00000000,?,00000105), ref: 0040CC9D
                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0040CD09,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CD92,00000000,?,00000105), ref: 0040CCC5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DefaultLanguage$SystemUser
                                                            • String ID:
                                                            • API String ID: 384301227-0
                                                            • Opcode ID: 069904bf99abfa0b83b546b1ed0fe6070e1295d5b798fc899ff7ce37847dbfdb
                                                            • Instruction ID: 5ac65596fced7b910d67bbfefc63cc881f334f4f39f389ce6e4f5fa3aa301617
                                                            • Opcode Fuzzy Hash: 069904bf99abfa0b83b546b1ed0fe6070e1295d5b798fc899ff7ce37847dbfdb
                                                            • Instruction Fuzzy Hash: D9312F30A14209DFDB10EBA9C8C2AAEB7B5EF49304F50467BE404B32D1DB789D419B99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405484, Relevance: 3.1, APIs: 2, Instructions: 61fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,?,00000000,?,0040552D,00000064,00402B50,0000D7B1,?,00000000), ref: 004054AE
                                                            • GetLastError.KERNEL32(?,0040552D,00000064,00402B50,0000D7B1,?,00000000,?,00818654,00000000,00000000,008186D2,?,?,?,00000000), ref: 004054B5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite
                                                            • String ID:
                                                            • API String ID: 442123175-0
                                                            • Opcode ID: 0144cffe5f4022dbbfa19f28a62694fccd9d9f384b429aeac51538f4cc221b03
                                                            • Instruction ID: 58043fc211e287150baae9057470d61647ca602fe4124a230def75f4c210350d
                                                            • Opcode Fuzzy Hash: 0144cffe5f4022dbbfa19f28a62694fccd9d9f384b429aeac51538f4cc221b03
                                                            • Instruction Fuzzy Hash: FC112E71704508EFCB40DF69D981A9FB7E9EB98314B108477E809EB284E634EE00DF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CD18, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A,?,00000000,0040BB41), ref: 0040CD54
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A), ref: 0040CDA5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName
                                                            • String ID:
                                                            • API String ID: 1159719554-0
                                                            • Opcode ID: f49f288b91f74fcd056493bfe9f938fb0be1b07c46389491cba556945b7e8bda
                                                            • Instruction ID: f95f1c7a7be229697cbd4194ea68f03b1ad684dc9f70ad0e1a70e9e9ecd67c69
                                                            • Opcode Fuzzy Hash: f49f288b91f74fcd056493bfe9f938fb0be1b07c46389491cba556945b7e8bda
                                                            • Instruction Fuzzy Hash: 7A115130A4421C9BDB14EB50C986BDE77B9DB48304F5145BAB508F32D1DA785F848A99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424B98, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindNextFileW.KERNEL32(?,?,00000001,00596489,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834,?,?), ref: 00424BA3
                                                            • GetLastError.KERNEL32(?,?,00000001,00596489,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834,?,?), ref: 00424BB5
                                                              • Part of subcall function 00424AC0: FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                              • Part of subcall function 00424AC0: FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$DateErrorFindLastLocalNext
                                                            • String ID:
                                                            • API String ID: 2103556486-0
                                                            • Opcode ID: 249219fde11eba4d8f0847427deaa5469a8e1ed67c38deb41bcea90f0b7b4556
                                                            • Instruction ID: 94c3d661e99e19b0cf242ad5cc108513695bb429cd69848a77f49ac234955743
                                                            • Opcode Fuzzy Hash: 249219fde11eba4d8f0847427deaa5469a8e1ed67c38deb41bcea90f0b7b4556
                                                            • Instruction Fuzzy Hash: D6C012E2300100574B40AFF6A8C1A9722CC5E8820535805ABBA15CA307DE1DD4504618
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406778, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDBCSLeadByteEx.KERNEL32(000004E4,?), ref: 00406833
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteLead
                                                            • String ID:
                                                            • API String ID: 535570690-0
                                                            • Opcode ID: 2f1cb644fb499c63dc5b30d7fec0a20aa9a1c674713672119258b17d28bc32fe
                                                            • Instruction ID: 90b6fd22d809609ea3004cdd2524d420e27ac6550840b70b8a809d14a669ba94
                                                            • Opcode Fuzzy Hash: 2f1cb644fb499c63dc5b30d7fec0a20aa9a1c674713672119258b17d28bc32fe
                                                            • Instruction Fuzzy Hash: 93317C35904184DFDB00D7A8C289BEE7BF1AB11300F1A40F6E845BB2C3D2799F59A715
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047DB14, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DB91
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 00dcda4b3357fe27e592dec70060977e4b8871651b2a585f5acb668b467a1053
                                                            • Instruction ID: f23ec4b5702853a7ea5987bf2f7fdd18b2bb3f750e5d560e0cf6f6033a68423a
                                                            • Opcode Fuzzy Hash: 00dcda4b3357fe27e592dec70060977e4b8871651b2a585f5acb668b467a1053
                                                            • Instruction Fuzzy Hash: 4821A330F14204AFDB12EB65C952BDEB7F99F48304F2184BEA409E3682D6789E059749
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00451E48, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceW.KERNEL32(00000000,00000000,0000000A,00000000,?,00000000,?,?,00452014,00000000,0045202C,?,0000FFA4,00000000,00000000), ref: 00451E6A
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindResource
                                                            • String ID:
                                                            • API String ID: 1635176832-0
                                                            • Opcode ID: 4159ebc1ff9f4fa63e2dc2a99cbc1145e40678475c0226c159b9e0146ed05156
                                                            • Instruction ID: d8758b5084b721e2e7b8f07ffa62b5cfea11b7d3667cb77975f3ea63007917f4
                                                            • Opcode Fuzzy Hash: 4159ebc1ff9f4fa63e2dc2a99cbc1145e40678475c0226c159b9e0146ed05156
                                                            • Instruction Fuzzy Hash: 8801D4313083006BD700DF66EC82E6BB7EDEB89719711047AFD00D7292DA7A9C049658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E93C, Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047E9C2), ref: 0047E9A7
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: d175568d259705272e6aa47e86a25d25f43ae7f404f24f7bcc6ed7cf32099ec8
                                                            • Instruction ID: 6c2b064bdfea16977048b204395c2f05d037ce64966bcf41a7dd1988fe17c46e
                                                            • Opcode Fuzzy Hash: d175568d259705272e6aa47e86a25d25f43ae7f404f24f7bcc6ed7cf32099ec8
                                                            • Instruction Fuzzy Hash: 2701B971B00608AFD700EB66C852ADE73ECDB4C304F5040BAB509E3292EA389E048658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408CE0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: 29575488970f715b17986a15caf58521d83e83b8c7794ca887fe32ca52364b9b
                                                            • Instruction ID: ef301df739cc694c572c5ee0b50773967ece18fc2577e6befe398edb865a9ec1
                                                            • Opcode Fuzzy Hash: 29575488970f715b17986a15caf58521d83e83b8c7794ca887fe32ca52364b9b
                                                            • Instruction Fuzzy Hash: A6015E72B04214AFDB41DB9D9884B4AB7ECAB98360F10817AF548E73D1DA749D408B68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408790, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00000000,004087DE,?,00841054,00843B18,00000000,?,00408BF6,?,?,?,?,00408C8A,004049FB,00404A42), ref: 004087CE
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 669d9c16f68d7d69e55c837bd1127b50049780d4758f6d47d6ce2fb4150e7957
                                                            • Instruction ID: 3416b5ca3d522f064810a6436f6233d91ae6f526f1053d7af4a84366dc213eb1
                                                            • Opcode Fuzzy Hash: 669d9c16f68d7d69e55c837bd1127b50049780d4758f6d47d6ce2fb4150e7957
                                                            • Instruction Fuzzy Hash: 0BF09036205B159ED3214F1AAE80A13FBECF749760BB5413FD844A3B96DA349800C6A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423014, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,?,00000001,0042C450,00000000,0042C3AF,?,00000000,0042C40D), ref: 0042304B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID:
                                                            • API String ID: 1825529933-0
                                                            • Opcode ID: 1367ec480eb4cb0b958e952430911fc2e6c6f941ff26b9b5787ef9433decb0e0
                                                            • Instruction ID: 7d4b6c6e5e0bed3a7d05330ec8cb189f96d8e7c295e251969e5bd50bfcc166b6
                                                            • Opcode Fuzzy Hash: 1367ec480eb4cb0b958e952430911fc2e6c6f941ff26b9b5787ef9433decb0e0
                                                            • Instruction Fuzzy Hash: 70E0D8B37413652BE92099AE5CC1FB7669CCB897A6B05017AFF04F7346C9595C0141B4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0059EC3C, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,0059EC8D,?,00000001,?,?,0082DB80,?,mia,.res,00000000,00000000,00000000,?,00000000), ref: 0059EC63
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 4fcf3b4a5b7900d620859b366189a173618c0baed1ed45520c03ae6a57b3418a
                                                            • Instruction ID: 270be10a341e33f11dd85db8b8dc784368f0353ba6e026200a026ced54a91c08
                                                            • Opcode Fuzzy Hash: 4fcf3b4a5b7900d620859b366189a173618c0baed1ed45520c03ae6a57b3418a
                                                            • Instruction Fuzzy Hash: AEF0E530604208FEDF44EB79CE53CAD7BECFB097187A0097AF450E26E1D6396E04A518
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004246D0, Relevance: 1.5, APIs: 1, Instructions: 31timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00424594: GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 004245CE
                                                              • Part of subcall function 00424594: GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424631
                                                              • Part of subcall function 00424594: GetLastError.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424640
                                                              • Part of subcall function 00424594: FileTimeToLocalFileTime.KERNEL32(?,FB,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424683
                                                            • FileTimeToDosDateTime.KERNEL32 ref: 004246F9
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Time$Attributes$DateErrorLastLocal
                                                            • String ID:
                                                            • API String ID: 663141457-0
                                                            • Opcode ID: 277bbfe9d65a59bbddf6dd17e79c36de28946aecbf085cc2aac3b5beac8cee4c
                                                            • Instruction ID: e04da985f904ea9dfe94d092605b8332e34c08d2116ba371cb577d0f9109872a
                                                            • Opcode Fuzzy Hash: 277bbfe9d65a59bbddf6dd17e79c36de28946aecbf085cc2aac3b5beac8cee4c
                                                            • Instruction Fuzzy Hash: 5FF0E535A0020DA78F10CED898808DEB3A8DA86328F604793E934E7281EB369F049794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040BAD4, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,0000020A,?,00000000,0040BB41,0041E298,0041E29C,?,0040D5A0), ref: 0040BAF2
                                                              • Part of subcall function 0040CD18: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A,?,00000000,0040BB41), ref: 0040CD54
                                                              • Part of subcall function 0040CD18: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A), ref: 0040CDA5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileModuleName$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 4113206344-0
                                                            • Opcode ID: e9047e7e718f9a5106684697ebfde9e3f407d95ad0ce6d1c0455f8f31703f4f1
                                                            • Instruction ID: a88651896b0ed3a23ea67229964229f1848bdffbb32de574980f9bf0ab694c8b
                                                            • Opcode Fuzzy Hash: e9047e7e718f9a5106684697ebfde9e3f407d95ad0ce6d1c0455f8f31703f4f1
                                                            • Instruction Fuzzy Hash: 01E0C971A003109BDB10DE58C9C5A5637A4AF49754F044666AD14EF38AD375D91087D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004250E4, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000001,004249D2,00000000,004249F7,?,?,00000000,00000000,00000000,00000000,?,0082D4D3,?,00000000), ref: 004250F1
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateDirectory
                                                            • String ID:
                                                            • API String ID: 4241100979-0
                                                            • Opcode ID: 383a688f34737a12b868ed746cb1ae341d81b257cb3ad43e14afc6877cde684f
                                                            • Instruction ID: 8f43151b22b1469bfb9e70a166b3f2c49ff5d4be4b49b84714ba4ddc6eb884e8
                                                            • Opcode Fuzzy Hash: 383a688f34737a12b868ed746cb1ae341d81b257cb3ad43e14afc6877cde684f
                                                            • Instruction Fuzzy Hash: 4CB092A27942402AEA0036BA0CC2B6A00CDD79860AF10083AB602D6193E47AC8440014
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040717C, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00408BE6,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00407184
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 6a3c7b9f1797a488de21e861749322422cbf90c3622f26d40c67571f13affa8d
                                                            • Instruction ID: 41ba22d18321cb76633606a16cf5ad3b717cdc5a2f3560622911eff0241e057f
                                                            • Opcode Fuzzy Hash: 6a3c7b9f1797a488de21e861749322422cbf90c3622f26d40c67571f13affa8d
                                                            • Instruction Fuzzy Hash: 34B01270A000415BCE008A11C54C4557B515B5130C31000A4C8018F3D0CE27A804C701
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00464CE8, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,00000000,00000000,?,?,0058503C,005874F0,?,00000000,0058512B,?,00000000,?), ref: 00464D06
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 09c544327ed3e2257745a0b1e5b614fcc5909a1661039ce2c3f127fb09c38e11
                                                            • Instruction ID: 414783f545f013a41a00390d3318c56245cd632fceaf0a69517d536ab90c3cc3
                                                            • Opcode Fuzzy Hash: 09c544327ed3e2257745a0b1e5b614fcc5909a1661039ce2c3f127fb09c38e11
                                                            • Instruction Fuzzy Hash: 85115E746007058BC710DF1AD880B42FBE5FF89750F10C53AEA598B385E374E915CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403144, Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00403757), ref: 0040315A
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: f216b6ceb9f08cfb8ecaa4418ae988c501d28e156bbf7e1e539a0e26d76dff0d
                                                            • Instruction ID: eaab0908dca398bdff0d631121814ce98026ab15d171e95ea26a12bb78313901
                                                            • Opcode Fuzzy Hash: f216b6ceb9f08cfb8ecaa4418ae988c501d28e156bbf7e1e539a0e26d76dff0d
                                                            • Instruction Fuzzy Hash: 1EF04FB5B422004BDB14CF798D49302BAD6B78A305F10817EE509DB79CDB748446CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0040C434, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 151stringlibraryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000), ref: 0040C451
                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040C462
                                                            • lstrcpynW.KERNEL32(?,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105), ref: 0040C492
                                                            • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 0040C501
                                                            • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001), ref: 0040C549
                                                            • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830), ref: 0040C55C
                                                            • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000), ref: 0040C572
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F), ref: 0040C57E
                                                            • lstrcpynW.KERNEL32(0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?), ref: 0040C5BA
                                                            • lstrlenW.KERNEL32(?,0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298), ref: 0040C5C6
                                                            • lstrcpynW.KERNEL32(?,0000005C,?,?,0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 0040C5E9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                            • API String ID: 3245196872-3908791685
                                                            • Opcode ID: b04ba5caedf144eeb875c5d634dacea720d2e9b1876c80ca577194fcfae269f7
                                                            • Instruction ID: 76c12ef7d0d67687ef3a7bd8e91ca30b501443e14e09bb49bd729650117b71ee
                                                            • Opcode Fuzzy Hash: b04ba5caedf144eeb875c5d634dacea720d2e9b1876c80ca577194fcfae269f7
                                                            • Instruction Fuzzy Hash: 1A517476900228EBCB10EB94CDC5ADE73BCAF44314F1446B6A505F72C1E678EE409B59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007942A8, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 260fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB,?,?,?,?,00000000,00000000), ref: 00794367
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB,?,?,?,?,00000000), ref: 00794379
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 00794536
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 00794547
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 0079455C
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 0079456E
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000), ref: 0079466A
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000), ref: 0079467B
                                                              • Part of subcall function 007942A8: FindClose.KERNEL32(000000FF), ref: 0079448A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$Close$File$FirstNext
                                                            • String ID: $IGNORE$$*.*$dxD
                                                            • API String ID: 3527384056-1668806599
                                                            • Opcode ID: 0ca9cdae76652d41ac622ccf3a5bcac9f3a953c23b400b37e8c6532243a88ea4
                                                            • Instruction ID: e1b80d9ff527bd2dbf90f37abcf2fb7d5bc5ee44b63da5edd6403852173e2c8f
                                                            • Opcode Fuzzy Hash: 0ca9cdae76652d41ac622ccf3a5bcac9f3a953c23b400b37e8c6532243a88ea4
                                                            • Instruction Fuzzy Hash: E0B16E74A0421A9FCF20EBA5D889FDDB3B5EF45304F1041E6E508A7291DB38AE86CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00794724, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 219fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920,00000000), ref: 007947B6
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920), ref: 007947C8
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E), ref: 0079496C
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001), ref: 0079497D
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000), ref: 00794992
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000), ref: 007949A4
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053), ref: 00794A4A
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B), ref: 00794A5B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFile$FirstNext
                                                            • String ID: *.*$dxD
                                                            • API String ID: 1164774033-3064973229
                                                            • Opcode ID: 48861e728c33fcb31fb06544e2d3f24791516a9b7d6b355fd16156afaa90fea4
                                                            • Instruction ID: ff152c514afcea9cfc9e838b5402cdfe4aa7c3f6c782aca87fd93a1163c2126f
                                                            • Opcode Fuzzy Hash: 48861e728c33fcb31fb06544e2d3f24791516a9b7d6b355fd16156afaa90fea4
                                                            • Instruction Fuzzy Hash: 1591417490421E9FCF20EBA5D889EDDB7B5EF44308F1041E9E508A7291DB38AE86CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00596518, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 182fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005965A2
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005965B4
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005966BD
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000), ref: 005966CE
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000), ref: 005966E3
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000), ref: 005966F5
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000), ref: 0059679B
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000), ref: 005967AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFile$FirstNext
                                                            • String ID: *.*$dxD
                                                            • API String ID: 1164774033-3064973229
                                                            • Opcode ID: 923b812e680f5dd07e6239f800a0fc17d47a8c003e3a36ed88f83db44a91d92a
                                                            • Instruction ID: 36c3d6617cd4af2a79d1d750f7a8f62ae953cbc5bd5202a4d3b83fbe1fa0981b
                                                            • Opcode Fuzzy Hash: 923b812e680f5dd07e6239f800a0fc17d47a8c003e3a36ed88f83db44a91d92a
                                                            • Instruction Fuzzy Hash: 8371527490421E9FCF10EBA5C889ADDBBB9FF44308F1041E6E508A7295DB34AE89CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00794720, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920,00000000), ref: 007947B6
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920), ref: 007947C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID: *.*$dxD
                                                            • API String ID: 2295610775-3064973229
                                                            • Opcode ID: f2b3fefebb37129a0a1e6f182d7a70ee6f754dab094e66b77317f835a39bf437
                                                            • Instruction ID: 1a731755e4436f46a0472c1f2d3eaa4540c5553183ac843544b75001628e15ed
                                                            • Opcode Fuzzy Hash: f2b3fefebb37129a0a1e6f182d7a70ee6f754dab094e66b77317f835a39bf437
                                                            • Instruction Fuzzy Hash: 61217F70904249AFDF11EBA4DC86EDEB7B8EF45304F5085AAE504A3291DB385E46CB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004580E4, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceW.KERNEL32(00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?,?,00000000,?,00451E89), ref: 004580FB
                                                            • LoadResource.KERNEL32(00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?,?,00000000), ref: 00458115
                                                            • SizeofResource.KERNEL32(00000000,00458180,00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?), ref: 0045812F
                                                            • LockResource.KERNEL32(00456D84,00000000,00000000,00458180,00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000), ref: 00458139
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: 414d090d51e5c97bb2d7871269b0df026c3f90b3cc5e867df6ac2b737ce49eed
                                                            • Instruction ID: ade0e4e0a8cbb3b7b760c1b632ec3f7ae6df1f7590847d81dfa81050c3fea11b
                                                            • Opcode Fuzzy Hash: 414d090d51e5c97bb2d7871269b0df026c3f90b3cc5e867df6ac2b737ce49eed
                                                            • Instruction Fuzzy Hash: 95F04BB26056046F4B44EF6EA881DAB77DCEE88265314016FFE18D7203EE39DD058378
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00422390, Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDriveStringsW.KERNEL32(00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223CD
                                                            • QueryDosDeviceW.KERNEL32(?,?,00000104,00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223F7
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeviceDriveLogicalQueryStrings
                                                            • String ID:
                                                            • API String ID: 3173366581-0
                                                            • Opcode ID: 9563d0ab6aaf4842d0edd40f2f0d35f435b585cc995c796c0a937676d6f7830c
                                                            • Instruction ID: 354671eaa8e3175f811fc1bd7a604b5dd3e2e35648643b3f32a5b14cd8c5f9cd
                                                            • Opcode Fuzzy Hash: 9563d0ab6aaf4842d0edd40f2f0d35f435b585cc995c796c0a937676d6f7830c
                                                            • Instruction Fuzzy Hash: 81319671B00219ABDB20DB64DD81A9EB7B8EF48314F5440AAE904E7351D778DE44CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412E5C, Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 132libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(PSAPI.dll,00000000,0041334D,00000000,00000000,00000000,?,00422706,00000104,00000000,0042275A,?,000003EE,00000004,00000000,00000000), ref: 00412E70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
                                                            • API String ID: 1029625771-2267155864
                                                            • Opcode ID: 6bac1b2b4a319ff33ccb8e8104650400bc02deb93b4b18c6396d2ce78b5e6f7a
                                                            • Instruction ID: e8ef9a16514465b5e6b2cf852d3bc01d448d5d354a81a289e54fbc754b55e648
                                                            • Opcode Fuzzy Hash: 6bac1b2b4a319ff33ccb8e8104650400bc02deb93b4b18c6396d2ce78b5e6f7a
                                                            • Instruction Fuzzy Hash: 6D41FAB8A40318AF9F00EFB69CC6A9537A8BB06705710056FB514DF3A4DA78DA81CB1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C2F0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000,00000000), ref: 0040C30E
                                                            • LeaveCriticalSection.KERNEL32(00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000), ref: 0040C332
                                                            • LeaveCriticalSection.KERNEL32(00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000), ref: 0040C341
                                                            • IsValidLocale.KERNEL32(00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09), ref: 0040C353
                                                            • EnterCriticalSection.KERNEL32(00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09), ref: 0040C3B0
                                                            • lstrcpynW.KERNEL32(en-US,en,,00000000,000000AA,00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA), ref: 0040C3CE
                                                            • LeaveCriticalSection.KERNEL32(00843B88,en-US,en,,00000000,000000AA,00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000), ref: 0040C3D8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
                                                            • String ID: en-US,en,
                                                            • API String ID: 1058953229-3579323720
                                                            • Opcode ID: 633940988bd0bd6c9b287c41c329676b3fc209daa88bbceb5542c180f6a54ac6
                                                            • Instruction ID: 840befadd27682b71f7f5cd4a757e932a44a81a62cff2673ef979b7a35d4f3a5
                                                            • Opcode Fuzzy Hash: 633940988bd0bd6c9b287c41c329676b3fc209daa88bbceb5542c180f6a54ac6
                                                            • Instruction Fuzzy Hash: 8421D834354708A7D7147BA68D57B1E3294EF85758F50453FB840F63D2CABC9D01929E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408ABC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AF5
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AFB
                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?), ref: 00408B16
                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75), ref: 00408B1C
                                                            • MessageBoxA.USER32 ref: 00408B3A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleWrite$Message
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 1570097196-2970929446
                                                            • Opcode ID: d55f0b3ec2b3309b3ec7c4b4bf2282798b450c2c57fb01e50abc9738b356a3b2
                                                            • Instruction ID: 883d27b1f089570435a1ec32665e41e73b0e3fe465dedc934fa18f7fcc10b570
                                                            • Opcode Fuzzy Hash: d55f0b3ec2b3309b3ec7c4b4bf2282798b450c2c57fb01e50abc9738b356a3b2
                                                            • Instruction Fuzzy Hash: 98F0A4A1A8024035FE107BA55E1EF56366CA751B19F10463FB160B56D2CABC68C4C619
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004039D8, Relevance: 10.9, APIs: 7, Instructions: 407COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff865de398dabf03235835d6a03df8d6bd4440262de3a292e4e093a064290b02
                                                            • Instruction ID: 06de5c44b1e8d66e5792396b36ef80cda03d3281113913fe30758daa7217e7fe
                                                            • Opcode Fuzzy Hash: ff865de398dabf03235835d6a03df8d6bd4440262de3a292e4e093a064290b02
                                                            • Instruction Fuzzy Hash: 3EC14A627106000BE714AE7D9D8972EBA8D9BC5326F18823FF144EB3D6DA7CDE458348
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407B44, Relevance: 10.6, APIs: 7, Instructions: 132threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00407F3C: GetCurrentThreadId.KERNEL32 ref: 00407F3F
                                                            • GetTickCount.KERNEL32 ref: 00407B7B
                                                            • GetTickCount.KERNEL32 ref: 00407B8D
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407BC0
                                                            • GetTickCount.KERNEL32 ref: 00407BE7
                                                            • GetTickCount.KERNEL32 ref: 00407C21
                                                            • GetTickCount.KERNEL32 ref: 00407C4B
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407CC1
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountTick$CurrentThread
                                                            • String ID:
                                                            • API String ID: 3968769311-0
                                                            • Opcode ID: 5369a3ff8cf9b08d90c4e116274b425cc6b0c131ff5b93987916801eede752e2
                                                            • Instruction ID: 505cc0ca4ebae022a0f1ed319f5fc283f6d826263fe70601ac970ffa21443408
                                                            • Opcode Fuzzy Hash: 5369a3ff8cf9b08d90c4e116274b425cc6b0c131ff5b93987916801eede752e2
                                                            • Instruction Fuzzy Hash: 88418F30A0C3444AE720AE7CC58832F7BD1AB85344F15893FE4D4A73C2DABCA881975B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A6F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(shfolder.dll,00000000,005A6FF3), ref: 005A6F30
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            • GetDesktopWindow.USER32 ref: 005A6F69
                                                            • GetShortPathNameW.KERNEL32 ref: 005A6F96
                                                            • FreeLibrary.KERNEL32(00000000,00000000,SHGetFolderPathW,shfolder.dll,00000000,005A6FF3), ref: 005A6FD0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressDesktopFreeLoadNamePathProcShortWindow
                                                            • String ID: SHGetFolderPathW$shfolder.dll
                                                            • API String ID: 190074832-3387970553
                                                            • Opcode ID: 31a51a6c87f614c9f7c1187207f5dc5a0d7fce9b88a45971a8966e53014efcb9
                                                            • Instruction ID: ec3bacc96b391dfa64664bada29a1a1cad6acc7f1103c9f38b08fc0397cb3db3
                                                            • Opcode Fuzzy Hash: 31a51a6c87f614c9f7c1187207f5dc5a0d7fce9b88a45971a8966e53014efcb9
                                                            • Instruction Fuzzy Hash: 7021C775E4420AAFCB00EBA5DC51AAEBBB8FF46704F14447AF504F7294DB349E008B58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407900, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,00000001), ref: 00407916
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040791C
                                                            • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation,00000001), ref: 00407938
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: GetLogicalProcessorInformation$kernel32.dll$k
                                                            • API String ID: 4275029093-3824636038
                                                            • Opcode ID: bc1493411cf7a1fdcbc33e286c73cc8e5e4d51c8ea2d0e9cf86bcd57a426165a
                                                            • Instruction ID: 3ef7fc8a316c6a40be9ae1a577b33141ba89fc8532ffa234138abc26abf6d127
                                                            • Opcode Fuzzy Hash: bc1493411cf7a1fdcbc33e286c73cc8e5e4d51c8ea2d0e9cf86bcd57a426165a
                                                            • Instruction Fuzzy Hash: 72116AB1D0C204AEFB10EBA5DE45B5EB7A9EB44314F20447BE404B22C2D67DB940D66E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004225AC, Relevance: 9.2, APIs: 6, Instructions: 161fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileSize.KERNEL32(?,?), ref: 00422609
                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000001,00000000,?,?), ref: 0042269F
                                                            • MapViewOfFile.KERNEL32(000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000,00000001,00000000,?), ref: 004226CE
                                                            • GetCurrentProcess.KERNEL32(00000104,00000000,0042275A,?,000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000), ref: 004226F3
                                                            • UnmapViewOfFile.KERNEL32(00000000,00422761,?,000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000,00000001), ref: 00422754
                                                              • Part of subcall function 00422390: GetLogicalDriveStringsW.KERNEL32(00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223CD
                                                              • Part of subcall function 00422390: QueryDosDeviceW.KERNEL32(?,?,00000104,00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223F7
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$View$CreateCurrentDeviceDriveLogicalMappingProcessQuerySizeStringsUnmap
                                                            • String ID:
                                                            • API String ID: 435433801-0
                                                            • Opcode ID: 73ae006de74c5a6efbfeb4249140766e4eca8248ed6ba63f726dbea61ff99326
                                                            • Instruction ID: 4187adb91f966debfcf9f471d10a7bce2dda35d7e6eeff07d021d263234a0034
                                                            • Opcode Fuzzy Hash: 73ae006de74c5a6efbfeb4249140766e4eca8248ed6ba63f726dbea61ff99326
                                                            • Instruction Fuzzy Hash: 88518F70B04219BFDB10EFA5D985B9EB7B5EB48304F9044EAE504A7291D7B89E80CF58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00768D4C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 231fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNEL32(00000000,?,?,?,00000000,00000000,0000000B,00000000,00000000,00000001,?,007D984A,00000000,007D98E0), ref: 00768E99
                                                              • Part of subcall function 00424BD8: DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BE8
                                                              • Part of subcall function 00424BD8: GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BF7
                                                              • Part of subcall function 00424BD8: GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000), ref: 00424BFF
                                                              • Part of subcall function 00424BD8: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C1A
                                                            • MoveFileW.KERNEL32(00000000), ref: 00768F33
                                                              • Part of subcall function 0040717C: KiUserCallbackDispatcher.NTDLL(00408BE6,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00407184
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Attributes$CallbackDeleteDirectoryDispatcherErrorLastMoveRemoveUser
                                                            • String ID: *.*
                                                            • API String ID: 691102307-438819550
                                                            • Opcode ID: 67e84289ecff61f33034e0fd06d8d97b73431112671c936c531bd7e4000b6789
                                                            • Instruction ID: 0fa0777bf0979ef0c8522848ad50890eb5ff942d969ead750916ebb87b8794d9
                                                            • Opcode Fuzzy Hash: 67e84289ecff61f33034e0fd06d8d97b73431112671c936c531bd7e4000b6789
                                                            • Instruction Fuzzy Hash: 4691FC30A0010EAFDF01EBA9D845ACDB7B5FF58304F50856AF805B72A5DB35AE05CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0043446C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID: |>C
                                                            • API String ID: 1473721057-213533553
                                                            • Opcode ID: f77f160c4784674292fd838c38f5d47e98ced0e3141dfb1bc3a2e06e65c17674
                                                            • Instruction ID: 20914c188d6625644210769ee22846e9ff66e0570ff4a8d1b76d358979a87ea4
                                                            • Opcode Fuzzy Hash: f77f160c4784674292fd838c38f5d47e98ced0e3141dfb1bc3a2e06e65c17674
                                                            • Instruction Fuzzy Hash: 3D01D46070421086DB10AB25DA857E632985FAD308F20357BB0469B253CB7CFC46D76F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007DBD68, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D6E80: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 007D6E80: GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,?,?,00794AFA), ref: 007DBD90
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HandleModule$AddressCurrentProcProcess
                                                            • String ID: Win32$Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 4003494863-80893164
                                                            • Opcode ID: 08872e14f903e4fc870fbfef4b6a36aa4199ea15be0b445078baef3c9e14c768
                                                            • Instruction ID: b85d9e4078d9ce42f5daec457a4bd7b584622aa0e684e5eccdb4b4bfda696b28
                                                            • Opcode Fuzzy Hash: 08872e14f903e4fc870fbfef4b6a36aa4199ea15be0b445078baef3c9e14c768
                                                            • Instruction Fuzzy Hash: 30E02B20B41350E5CE10A7B598167A507B61E4DF8870A0427FD80A73D3DB5CCC0159E8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007DBE3C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D6E80: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 007D6E80: GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,?,?,00794B5A,00794B62), ref: 007DBE64
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HandleModule$AddressCurrentProcProcess
                                                            • String ID: Win32$Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 4003494863-74661203
                                                            • Opcode ID: 4b5169e114a068f3f1820069252d1bfd3dd91b72d2f48b51fada0d1a3b731179
                                                            • Instruction ID: 5d07d555bf60436f01e20604474d777d017adacec3ea30256a2cc30a8457dad9
                                                            • Opcode Fuzzy Hash: 4b5169e114a068f3f1820069252d1bfd3dd91b72d2f48b51fada0d1a3b731179
                                                            • Instruction Fuzzy Hash: CDF0E561A013B0D5CE2063795815EE21FB82B45748F0A0927BF8097793D72CCC0D82A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007D6E80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            • GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressCurrentHandleModuleProcProcess
                                                            • String ID: IsWow64Process$kernel32
                                                            • API String ID: 4190356694-3789238822
                                                            • Opcode ID: fbfa8b9be56232b2a7a050497b9336513c0f72992db566346c55723fb6780570
                                                            • Instruction ID: 8f20da8456057496d7b22a05698da9075f8360932483dc278fb67f6f45ead45b
                                                            • Opcode Fuzzy Hash: fbfa8b9be56232b2a7a050497b9336513c0f72992db566346c55723fb6780570
                                                            • Instruction Fuzzy Hash: 7FE012BE7647436E6E0077F79C82D6B17AC9A90359710093BF540D0252EAADC855102D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C1D4, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C1E5
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040C243
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040C2A0
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040C2D3
                                                              • Part of subcall function 0040C190: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040C251), ref: 0040C1A7
                                                              • Part of subcall function 0040C190: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040C251), ref: 0040C1C4
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Thread$LanguagesPreferred$Language
                                                            • String ID:
                                                            • API String ID: 2255706666-0
                                                            • Opcode ID: bc24a83227e15b380631f55bd2f426ee2f9d90468bb3ecff20a5d0c17074213b
                                                            • Instruction ID: 5adc0bea2c8af2d65c5d3e99b3eb73bb67b06f85e1b4683f9ecad5d3c1eab476
                                                            • Opcode Fuzzy Hash: bc24a83227e15b380631f55bd2f426ee2f9d90468bb3ecff20a5d0c17074213b
                                                            • Instruction Fuzzy Hash: 42310A70E0021ADBDB10EBE9C885AAFB7B8FF48314F4046BAE551F7295D7789A04CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424AC0, Relevance: 6.1, APIs: 4, Instructions: 55timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindNextFileW.KERNEL32(?,?), ref: 00424AD1
                                                            • GetLastError.KERNEL32(?,?), ref: 00424ADA
                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                            • FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$DateErrorFindLastLocalNext
                                                            • String ID:
                                                            • API String ID: 2103556486-0
                                                            • Opcode ID: 9609eb00e04a689bd71bdebf9600531a51fed77c8bea1292b3844d585f781882
                                                            • Instruction ID: fe6fac3a6ac03b6b4440619cae4f2eff92646066b65c4be4ccf9c54d9b613497
                                                            • Opcode Fuzzy Hash: 9609eb00e04a689bd71bdebf9600531a51fed77c8bea1292b3844d585f781882
                                                            • Instruction Fuzzy Hash: 5411ADB1700100AFDB44DF69C8C199777ECEF8834475485ABED04CB24EE638DC018BA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004059B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: oY@$X(
                                                            • API String ID: 0-2454232136
                                                            • Opcode ID: a3635da41d6ada84ed8f10af34513a83174d4b8c9a070eb1340295e14fa243af
                                                            • Instruction ID: 657c74bf76a079fdf93a688482b863b4ef09bc5b766970fd558e04562a456c78
                                                            • Opcode Fuzzy Hash: a3635da41d6ada84ed8f10af34513a83174d4b8c9a070eb1340295e14fa243af
                                                            • Instruction Fuzzy Hash: F351D431A045A88BCB11DB69C4957AF7BB4DF51304F0801BB9885BB2C7D63C9E05DFA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424358, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0042483C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            • GetVolumeInformationW.KERNEL32(00000000,?,00000104,?,?,?,?,00000104,00000000,0042448C,?,00000000,?), ref: 004243F3
                                                            • GetDriveTypeW.KERNEL32(00000000), ref: 00424418
                                                              • Part of subcall function 004247A4: GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 004247B5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile$DriveInformationTypeVolume
                                                            • String ID: d5A
                                                            • API String ID: 2660071179-326437214
                                                            • Opcode ID: 2fa643a2496d0fd72efea3c911f6a909d600cda9c01ece4b0853edc21ea82aae
                                                            • Instruction ID: bd563c539b1aab59f9bd9d3b06265d9c66015eb71dfd5a6194938a33824a214f
                                                            • Opcode Fuzzy Hash: 2fa643a2496d0fd72efea3c911f6a909d600cda9c01ece4b0853edc21ea82aae
                                                            • Instruction Fuzzy Hash: CE31D870B002285ADB11FB55E8427DD77A8EF84708FC441ABE904A3292DB3C5F45DE5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00434D0C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantCopy.OLEAUT32 ref: 00434D2D
                                                              • Part of subcall function 0043446C: VariantClear.OLEAUT32 ref: 0043447B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Variant$ClearCopy
                                                            • String ID: |>C
                                                            • API String ID: 274517740-213533553
                                                            • Opcode ID: 8771a4346e2b20afc04fff4dabda3d31eb32952cc78d6270db85b0f1906f051e
                                                            • Instruction ID: 6a0268472f155fb589513e0d0a9dd18b4d2ee9e8d712b2481dc583d533d54a34
                                                            • Opcode Fuzzy Hash: 8771a4346e2b20afc04fff4dabda3d31eb32952cc78d6270db85b0f1906f051e
                                                            • Instruction Fuzzy Hash: 9B21743030021097DB31AF29E4815E777E69FCD750F10A46BE84A8B356DA3CEC82C66E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004224C8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL,NtQueryObject,00000000,00000000), ref: 004224EE
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: NTDLL.DLL$NtQueryObject
                                                            • API String ID: 1646373207-3865875859
                                                            • Opcode ID: 39398ca4bf87bed804ca7380330e155dc5bba8e055c56731faf510cc40fa8a3d
                                                            • Instruction ID: 9e746bf49908d423d3971de1d80f05601bd15af5f2909352a40ec1968959bb51
                                                            • Opcode Fuzzy Hash: 39398ca4bf87bed804ca7380330e155dc5bba8e055c56731faf510cc40fa8a3d
                                                            • Instruction Fuzzy Hash: B511D075B04218BFDB10EB69ED42B9A77A9F748704F908166F504E2690D7B9AF80C64C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00727788, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 007277C9
                                                            • EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,00727CFF,?,?,?,00000000,00000000,?,0079430B,00000000,00000000,00000064,00000000), ref: 007277E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountCriticalEnterSectionTick
                                                            • String ID: MYAH_LastDelegateTick
                                                            • API String ID: 3768448988-2068939020
                                                            • Opcode ID: f31822922213138ce3fe090be8c89be9b548e68764eb31a017cd2d7e69c75ab1
                                                            • Instruction ID: 95fd4d6d8b0e3682352c819f8c199af7319d83189056b2244fd3ddde9cc2d5dd
                                                            • Opcode Fuzzy Hash: f31822922213138ce3fe090be8c89be9b548e68764eb31a017cd2d7e69c75ab1
                                                            • Instruction Fuzzy Hash: 7B119A74A00318AFDB04DBA9DD52E9DB7F9FB89704F504476F804E7391DA38AE00CA10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00430448, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetACP.KERNEL32(0047861C,00000000), ref: 00430464
                                                            • GetCPInfo.KERNEL32(00430548,?,0047861C,00000000), ref: 00430485
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID: L.A
                                                            • API String ID: 1807457897-2350765468
                                                            • Opcode ID: f1b999f04b8e8a33df948de643add4a0adb174aea7c6854597c24c0f6f97d03b
                                                            • Instruction ID: 72b6eb4a1d13dc2dce76246ebe218213dd2c0921c4328f3486b9e526878d4afa
                                                            • Opcode Fuzzy Hash: f1b999f04b8e8a33df948de643add4a0adb174aea7c6854597c24c0f6f97d03b
                                                            • Instruction Fuzzy Hash: 2C014972A017058FC320EF69C541997B7E4AF18360B00863FFD95C3361EA39E9008BAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00595640, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,005956AB,?,00000001,00000001,00000000,?,005957A1,00000000,005957C6,?,00000000,00000000,00000000), ref: 00595661
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,005956AB,?,00000001,00000001,00000000,?,005957A1,00000000,005957C6,?,00000000), ref: 0059568A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.365940112.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.365992199.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367004430.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367013380.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367021895.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367039998.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367050872.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367063979.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367073306.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367086840.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367095657.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367109247.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367120070.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367132100.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367186783.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.367208741.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateDirectory
                                                            • String ID: \\?\
                                                            • API String ID: 4241100979-4282027825
                                                            • Opcode ID: e0a3bdc70c04e78168105b659149bbbb16886a6d6c0cca47080108260c0900a7
                                                            • Instruction ID: 9f5430ab1e94a2cdd9dae8f072e860b2ef55c5aa2821298d1840839241b5f79c
                                                            • Opcode Fuzzy Hash: e0a3bdc70c04e78168105b659149bbbb16886a6d6c0cca47080108260c0900a7
                                                            • Instruction Fuzzy Hash: CFF0F0702447047BDF11EBA5CCA2B9D76DDEB86B08F91083AF400E35D1EA799D104669
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: LI-180_Installer.exe PID: 7000 Parent PID: 6660 LI-180_Installer.exeCOMMON

                                                            Executed Functions

                                                            Function 0040CB30, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040CBF0,?,?), ref: 0040CB62
                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040CBF0,?,?), ref: 0040CB6B
                                                              • Part of subcall function 0040C9F8: FindFirstFileW.KERNEL32(00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA2B
                                                              • Part of subcall function 0040C9F8: FindClose.KERNEL32(00000000,00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA3B
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                            • String ID:
                                                            • API String ID: 3216391948-0
                                                            • Opcode ID: a3ef9113332cd4f103a8e4d8192339c8c971ca8cadefcb096335637e5080e2e5
                                                            • Instruction ID: 8f8425ef7e003197c548934d68529d5866815bad13d550064fd740d453593948
                                                            • Opcode Fuzzy Hash: a3ef9113332cd4f103a8e4d8192339c8c971ca8cadefcb096335637e5080e2e5
                                                            • Instruction Fuzzy Hash: FA119370A042099BDB00EBA5D982AADB3B5EF45304F50057EF514F72D1DB786E05C659
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C9F8, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA2B
                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA3B
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 9e1dfe6f42f38fe5fee79ec9a6cfd20d37323d4e53de93dc210a85409fa04306
                                                            • Instruction ID: 2d6f6286354a10e5bc494812b8926dfd1e7cb371c99a917dddbeb77f05d97bc8
                                                            • Opcode Fuzzy Hash: 9e1dfe6f42f38fe5fee79ec9a6cfd20d37323d4e53de93dc210a85409fa04306
                                                            • Instruction Fuzzy Hash: 8DF0B430600208AFC710FF75CD52A4DB3ECDB443147A00576B404F22C1EA389E00995C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424B48, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834), ref: 00424B63
                                                            • GetLastError.KERNEL32(00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834), ref: 00424B88
                                                              • Part of subcall function 00424AC0: FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                              • Part of subcall function 00424AC0: FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                              • Part of subcall function 00424BBC: FindClose.KERNEL32(?,?,00424B86,00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000), ref: 00424BC8
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                                                            • String ID:
                                                            • API String ID: 976985129-0
                                                            • Opcode ID: 2e5de55aafeed0e3f81a13e10239d89ebfd0b8ad6166b697f13ed275721c6c72
                                                            • Instruction ID: 129b9a8e3a804e3a0b789ce555aedcb953d3dbc06cbad93d92fb841f598433eb
                                                            • Opcode Fuzzy Hash: 2e5de55aafeed0e3f81a13e10239d89ebfd0b8ad6166b697f13ed275721c6c72
                                                            • Instruction Fuzzy Hash: 96E065B6B01130074754ABBE68816AA55C8C9C8375359027FB915DB346D52CCC0647D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0082D304, Relevance: 67.4, APIs: 8, Strings: 30, Instructions: 882COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 82d304-82d307 1 82d30c-82d311 0->1 1->1 2 82d313-82db44 call 40d840 GetVersionExW call 727670 call 408e24 call 5a7044 call 424db0 call 59697c call 409204 call 404d7c call 424d14 call 424ea8 call 409204 call 5a7220 call 409204 * 2 call 42490c call 40a184 call 409f28 LoadLibraryW call 40a184 * 2 call 8185b0 FreeLibrary call 40a20c GetCommandLineW call 409f80 call 42bc54 * 3 call 40a39c call 42c440 call 408e24 * 2 call 404d1c call 408e24 call 404d1c * 4 call 67476c * 2 1->2 90 82db46-82db82 call 423c40 call 40a20c call 59ec3c 2->90 97 82db84-82e0a4 call 423c40 call 40a20c call 42490c call 67476c * 3 call 7d91f0 call 5a7044 call 405310 call 406390 call 4055d8 call 67476c * 2 call 4048ec call 7d91f0 call 405514 call 7d91f0 call 405514 call 405554 call 40a184 call 405310 call 4063ac call 7d91f0 call 405534 call 405554 call 404908 call 67476c * 2 call 40714c call 456b80 * 5 call 40a184 call 405384 call 404fb8 call 4055ac call 4060e8 call 406214 90->97 181 82e0cf-82e0de call 40a31c 97->181 184 82e0e0-82e0f9 call 4060e8 call 406214 181->184 185 82e0a6-82e0c0 call 4060e8 181->185 194 82e124-82e133 call 40a31c 184->194 191 82e0c5-82e0ca call 406214 185->191 191->181 197 82e135-82e14e call 4060e8 call 406214 194->197 198 82e0fb-82e11f call 4060e8 call 406214 194->198 207 82e179-82e188 call 40a31c 197->207 198->194 210 82e150-82e174 call 4060e8 call 406214 207->210 211 82e18a 207->211 210->207 212 82e1ac-82e1bc 211->212 216 82e1be 212->216 217 82e18c-82e1a7 212->217 220 82e1e0-82e1f0 216->220 217->212 223 82e1f2-82e20b call 4060e8 call 406214 220->223 224 82e1c0-82e1db 220->224 230 82e236-82e245 call 40a31c 223->230 224->220 233 82e247-82e2ba call 4060e8 call 406214 call 4060e8 call 406214 call 409204 call 456b80 call 4060e8 call 406214 230->233 234 82e20d-82e231 call 4060e8 call 406214 230->234 255 82e2e7-82e2f6 call 40a31c 233->255 234->230 258 82e2f8-82e3ad call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 255->258 259 82e2bc-82e2e2 call 4060e8 call 406214 255->259 292 82e3da-82e3e9 call 40a31c 258->292 259->255 295 82e3eb-82e404 call 4060e8 call 406214 292->295 296 82e3af-82e3d5 call 4060e8 call 406214 292->296 304 82e42f-82e43e call 40a31c 295->304 296->292 308 82e440-82e475 call 405c54 call 406214 call 4060e8 call 406214 304->308 309 82e406-82e42a call 4060e8 call 406214 304->309 322 82e4a2-82e4b1 call 40a31c 308->322 309->304 325 82e4b3-82e4e6 call 4060e8 call 406214 call 4060e8 call 406214 322->325 326 82e477-82e49d call 4060e8 call 406214 322->326 339 82e513-82e522 call 40a31c 325->339 326->322 342 82e524-82e587 call 4060e8 call 406214 call 40a31c call 4060e8 call 406214 call 4060e8 call 406214 339->342 343 82e4e8-82e50e call 4060e8 call 406214 339->343 362 82e5b4-82e5c3 call 40a31c 342->362 343->339 365 82e5c5-82e5de call 4060e8 call 406214 362->365 366 82e589-82e5af call 4060e8 call 406214 362->366 374 82e60b-82e61a call 40a31c 365->374 366->362 378 82e5e0-82e606 call 4060e8 call 406214 374->378 379 82e61c-82e649 call 40b2cc call 406214 call 4060e8 call 406214 374->379 378->374 392 82e676-82e685 call 40a31c 379->392 395 82e687-82e6bf call 40b2cc call 406214 call 4060e8 call 406214 392->395 396 82e64b-82e671 call 4060e8 call 406214 392->396 409 82e6ec-82e6fb call 40a31c 395->409 396->392 412 82e6c1-82e6e7 call 4060e8 call 406214 409->412 413 82e6fd-82ed4b call 405554 call 452328 call 40a184 call 409f28 call 409f80 call 424bd8 call 67476c * 2 call 59ebec call 76839c call 67476c * 2 call 40a20c call 409f28 call 40a20c call 409f28 CopyFileW call 40a20c call 409f28 SetFileAttributesW call 40a20c call 409f28 call 40a20c call 409f28 CopyFileW call 40a20c call 409f28 SetFileAttributesW call 67476c call 40a184 call 409204 call 67476c call 730edc call 67476c * 3 call 40a20c call 7e3900 409->413 412->409
                                                            APIs
                                                            • GetVersionExW.KERNEL32(00858B3C,00000000,0082D434,?,00000000,0082EED8,?,?,?,?,00000028,00000000,00000000), ref: 0082D34C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Version
                                                            • String ID: </Dialogs>$ </ExtractArchive>$ </GlobalLists>$ </ResourcePath>$ </StubData>$ </StubSize>$ </SupportDir>$ <Dialogs>$ <ExtractArchive>$ <GlobalLists>$ <ResourcePath>$ <StubData>$ <StubSize>$ <SupportDir>$ </SetupSplash>$ <RunScript>$ <SetupSplash>$$DOLLAR$$$WILD_DOLLAR$$.msi$.msp$.res$<InstallAware>$TRUE$data\$dxD$lang.loc$mia$mia.lib$mia.tmp
                                                            • API String ID: 1889659487-1851809426
                                                            • Opcode ID: c0f449ea3db6afbdaebd4e5398f8ca0530294d83ec301b6686362c1fcf47894a
                                                            • Instruction ID: da3f706e8fad9170a8dfdb118e7f0e5f4ab879b6b969e9938d5adb5aa6c1a0e2
                                                            • Opcode Fuzzy Hash: c0f449ea3db6afbdaebd4e5398f8ca0530294d83ec301b6686362c1fcf47894a
                                                            • Instruction Fuzzy Hash: 06720F74640214CFCB00FBE9E85594937A5FB85316B50407BFA06FB362DE399C49CB9A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C628, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 174registrystringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040C84D,?,?), ref: 0040C661
                                                            • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,0040C84D,?,?), ref: 0040C67D
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,0040C84D,?,?), ref: 0040C6AA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,0040C84D), ref: 0040C6CC
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?), ref: 0040C6EA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040C708
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040C726
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040C744
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000), ref: 0040C784
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001), ref: 0040C7AF
                                                            • RegCloseKey.ADVAPI32(?,0040C837,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001,Software\Embarcadero\Locales), ref: 0040C82A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open$QueryValue$CloseFileModuleNamelstrcpyn
                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                            • API String ID: 512384800-3496071916
                                                            • Opcode ID: bdac962312e14bf69b4cb6d8ebe2f4f8c797028779bae34ed630296ed3d58d69
                                                            • Instruction ID: bd9ab06692e8d258f654d8dc2864fdf92ebb3c8a55c2e1fb3935c138dac9bbb8
                                                            • Opcode Fuzzy Hash: bdac962312e14bf69b4cb6d8ebe2f4f8c797028779bae34ed630296ed3d58d69
                                                            • Instruction Fuzzy Hash: 62512675A40209FEEB10FB95CD86FAF73ACDB08705F60457BB604F61C1D6B89A448A5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D88C, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 528 40d88c-40d926 call 40dd3c call 40dd4c call 40dd5c call 40dd6c * 3 541 40d950-40d95d 528->541 542 40d928-40d94b RaiseException 528->542 544 40d962-40d982 541->544 545 40d95f 541->545 543 40db60-40db66 542->543 546 40d984-40d993 call 40dd7c 544->546 547 40d995-40d99d 544->547 545->544 549 40d9a0-40d9a9 546->549 547->549 551 40d9c2-40d9c4 549->551 552 40d9ab-40d9bb 549->552 553 40da86-40da90 551->553 554 40d9ca-40d9d1 551->554 552->551 564 40d9bd 552->564 557 40daa0-40daa2 553->557 558 40da92-40da9e 553->558 555 40d9e1-40d9e3 554->555 556 40d9d3-40d9df 554->556 560 40d9f0-40d9f2 555->560 561 40d9e5-40d9ee LoadLibraryA 555->561 556->555 562 40daa4-40daa8 557->562 563 40daef-40daf1 557->563 558->557 568 40d9f4-40da03 GetLastError 560->568 569 40da3f-40da4b call 40d734 560->569 561->560 571 40dae3-40daed GetProcAddress 562->571 572 40daaa-40daae 562->572 565 40daf3-40db02 GetLastError 563->565 566 40db39-40db3c 563->566 573 40db3e-40db45 564->573 574 40db12-40db14 565->574 575 40db04-40db10 565->575 566->573 576 40da13-40da15 568->576 577 40da05-40da11 568->577 586 40da80-40da81 FreeLibrary 569->586 587 40da4d-40da51 569->587 571->563 572->571 580 40dab0-40dabb 572->580 578 40db47-40db56 573->578 579 40db5e 573->579 574->566 582 40db16-40db36 RaiseException 574->582 575->574 576->569 583 40da17-40da3a RaiseException 576->583 577->576 578->579 579->543 580->571 584 40dabd-40dac3 580->584 582->566 583->543 584->571 590 40dac5-40dad2 584->590 586->553 587->553 591 40da53-40da61 LocalAlloc 587->591 590->571 592 40dad4-40dadf 590->592 591->553 593 40da63-40da7e 591->593 592->571 594 40dae1 592->594 593->553 594->566
                                                            APIs
                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D944
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 1f3db080524931f2a71b78ac2fbcba56dfaf1e55a97ed4bd4606fe5a50a1f930
                                                            • Instruction ID: f1754b9a30898a739949526b4897abeae061c25df43582866fa3238b20cb1580
                                                            • Opcode Fuzzy Hash: 1f3db080524931f2a71b78ac2fbcba56dfaf1e55a97ed4bd4606fe5a50a1f930
                                                            • Instruction Fuzzy Hash: EBA14AB5E002099FDB11DFE8D880BAEB7B5BB48310F14453AE905B7390DB78A949CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A8ED0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 149COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 005A8F2D
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,0000002B,?,00000000,005A9083,?,00000000,005A90AD,?,?,?,?,00000000,00000000,?,007D8754), ref: 005A8F33
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DesktopFolderLocationSpecialWindow
                                                            • String ID: &$CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 712084180-1915935699
                                                            • Opcode ID: e6e4c29796e67ea4c0d594db5d4910fbf98424d5f6c27b1277bb27276f8e460d
                                                            • Instruction ID: 8033c48627882e4f97e082b97ef3ea09083225c8ea2392c17a415e286cff22ce
                                                            • Opcode Fuzzy Hash: e6e4c29796e67ea4c0d594db5d4910fbf98424d5f6c27b1277bb27276f8e460d
                                                            • Instruction Fuzzy Hash: 0F515570A002099FCB14EFA5D8869AEBBF5FF8A304F5184BAF500B7651DB38AD44CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005582B4, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 656 5582b4-5582de 657 5582e4-558312 call 456b80 call 408e24 GetKeyboardLayoutList 656->657 658 558440-55845e call 408e24 656->658 665 55842f-55843b call 456abc 657->665 666 558318-558322 657->666 665->658 667 558325-558331 call 5912e8 666->667 671 558337-558379 call 425780 RegOpenKeyExW 667->671 672 558422-558429 667->672 671->672 675 55837f-5583b3 RegQueryValueExW 671->675 672->665 672->667 676 5583b5-5583ec call 409fd4 675->676 677 558404-55841a RegCloseKey 675->677 676->677 681 5583ee-5583ff call 409fd4 676->681 677->672 681->677
                                                            APIs
                                                            • GetKeyboardLayoutList.USER32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0055845F), ref: 0055830A
                                                            • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000000,00020019,?,00000040,?), ref: 00558372
                                                            • RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200), ref: 005583AC
                                                            • RegCloseKey.ADVAPI32(?,00558422,00000000,?,00000200), ref: 00558415
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                            • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$dxD$layout text
                                                            • API String ID: 1703357764-864307836
                                                            • Opcode ID: fb60a5df295c957eb0404e5f092a3a367a012dbe6ae5ca88890075726c5c1705
                                                            • Instruction ID: 1a5b79140d81652e6158ed355ff87afb49eefd5a88f3e5e2b5d4434e5af8b85a
                                                            • Opcode Fuzzy Hash: fb60a5df295c957eb0404e5f092a3a367a012dbe6ae5ca88890075726c5c1705
                                                            • Instruction Fuzzy Hash: EA416874A00209DFDB51DB95C991BAEB7F9FB08308F9040A6E904E7252DB74AE08CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A7058, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SHGetPathFromIDListW.SHELL32(0000002B,?), ref: 005A708D
                                                            • SHGetPathFromIDListW.SHELL32(0000002B,?), ref: 005A709E
                                                            • LoadLibraryW.KERNEL32(shell32.dll,00000000,005A71B5,?,?,?,?,00000003,00000000,00000000,?,005A901E,00000000,0000002B,?,00000000), ref: 005A70E3
                                                            • FreeLibrary.KERNEL32(?,?,SHGetPathFromIDListW,shell32.dll,00000000,005A71B5,?,?,?,?,00000003,00000000,00000000,?,005A901E,00000000), ref: 005A7117
                                                            • GetShortPathNameW.KERNEL32 ref: 005A7123
                                                              • Part of subcall function 0042483C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Path$FromLibraryList$AttributesFileFreeLoadNameShort
                                                            • String ID: SHGetPathFromIDListW$shell32.dll
                                                            • API String ID: 1716935149-4041819787
                                                            • Opcode ID: 67e6b3a5649a6259728fbc9b5a399fb55a16764e01cf6bdf8cd1fb77ff14f941
                                                            • Instruction ID: f24a0c27f4c5aba1ac8d85e4b6caa0744ba60476e8af1ded39079c374a10dff6
                                                            • Opcode Fuzzy Hash: 67e6b3a5649a6259728fbc9b5a399fb55a16764e01cf6bdf8cd1fb77ff14f941
                                                            • Instruction Fuzzy Hash: BE41FF75B0420DABDB00EBA5CC429DEB7F9FF89308F51446AF500A7256DA789E05CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042483C, Relevance: 9.1, APIs: 6, Instructions: 77fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 728 42483c-42485c call 409f28 GetFileAttributesW 731 424862-424868 728->731 732 4248e3-4248eb GetLastError 728->732 733 42486a-424873 731->733 734 424878-42487c 731->734 735 4248fc-4248fe 732->735 736 4248ed-4248f0 732->736 737 424902-424909 733->737 738 42487e-424899 CreateFileW 734->738 739 4248ac-4248b2 734->739 735->737 736->735 740 4248f2-4248f5 736->740 738->737 741 42489b-4248aa CloseHandle 738->741 742 4248b4-4248b6 739->742 743 4248b8-4248d3 CreateFileW 739->743 740->735 744 4248f7-4248fa 740->744 741->737 742->737 745 4248d5-4248dd CloseHandle 743->745 746 4248df-4248e1 743->746 744->735 747 424900 744->747 745->737 746->737 747->737
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,00000001,0042498E,00000000,004249F7), ref: 00424891
                                                            • CloseHandle.KERNEL32(00000000,00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,00000001,0042498E,00000000), ref: 0042489C
                                                            • GetLastError.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 004248E3
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$AttributesCloseCreateErrorHandleLast
                                                            • String ID:
                                                            • API String ID: 2927643983-0
                                                            • Opcode ID: 020176eec5d6f42be7d37591b5f78666e78e28d94eb01a82540cde32f1bc8a49
                                                            • Instruction ID: dd33b6b9f81e07856ee37e0e43e0baa8863c9efe5c1a136613ce728169e39ad2
                                                            • Opcode Fuzzy Hash: 020176eec5d6f42be7d37591b5f78666e78e28d94eb01a82540cde32f1bc8a49
                                                            • Instruction Fuzzy Hash: 6511A379B5527828F53031B96C87BBB1149CBC2324FF9162BFB66BA2D1C19C5CC1611E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040345C, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 748 40345c-40346e 749 403474-403484 748->749 750 4036bc-4036c1 748->750 751 403486-403493 749->751 752 4034dc-4034e5 749->752 753 4037d4-4037d7 750->753 754 4036c7-4036d8 750->754 757 403495-4034a2 751->757 758 4034ac-4034b8 751->758 752->751 759 4034e7-4034f3 752->759 755 403204-40322d VirtualAlloc 753->755 756 4037dd-4037df 753->756 760 403680-40368d 754->760 761 4036da-4036f6 754->761 762 40325f-403265 755->762 763 40322f-40325c call 4031bc 755->763 766 4034a4-4034a8 757->766 767 4034cc-4034d9 757->767 768 403530-403539 758->768 769 4034ba-4034c8 758->769 759->751 771 4034f5-403501 759->771 760->761 770 40368f-403698 760->770 764 403704-403713 761->764 765 4036f8-403700 761->765 763->762 774 403715-403729 764->774 775 40372c-403734 764->775 773 403760-403776 765->773 776 403574-40357e 768->776 777 40353b-403548 768->777 770->760 778 40369a-4036ae Sleep 770->778 771->751 779 403503-40350f 771->779 787 403778-403786 773->787 788 40378f-40379b 773->788 774->773 782 403750-403752 call 403144 775->782 783 403736-40374e 775->783 785 4035f0-4035fc 776->785 786 403580-4035ab 776->786 777->776 784 40354a-403553 777->784 778->761 789 4036b0-4036b7 Sleep 778->789 779->752 780 403511-403521 Sleep 779->780 780->751 792 403527-40352e Sleep 780->792 793 403757-40375f 782->793 783->793 784->777 794 403555-403569 Sleep 784->794 790 403624-403633 call 403144 785->790 791 4035fe-403610 785->791 796 4035c4-4035d2 786->796 797 4035ad-4035bb 786->797 787->788 798 403788 787->798 799 4037bc 788->799 800 40379d-4037b0 788->800 789->760 810 403645-40367e 790->810 814 403635-40363f 790->814 801 403612 791->801 802 403614-403622 791->802 792->752 794->776 805 40356b-403572 Sleep 794->805 807 403640 796->807 808 4035d4-4035ee call 403078 796->808 797->796 806 4035bd 797->806 798->788 803 4037c1-4037d3 799->803 800->803 809 4037b2-4037b7 call 403078 800->809 801->802 802->810 805->777 806->796 807->810 808->810 809->803
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00403513
                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 00403529
                                                            • Sleep.KERNEL32(00000000), ref: 00403557
                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 0040356D
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 8a9437801f9726fcd377f658ca86df32b8242f6e17eb2e341aa84f4ed14406a7
                                                            • Instruction ID: 42d35f8e0f18d475b3391309c2a26d93bbc44a93d282e8ffa7c4ba0988d3562c
                                                            • Opcode Fuzzy Hash: 8a9437801f9726fcd377f658ca86df32b8242f6e17eb2e341aa84f4ed14406a7
                                                            • Instruction Fuzzy Hash: 8AC157B66017508FCB15CF28D888316BFA8BB86311F1882BFD4549B3D5D778DA81C789
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424594, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110timeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 817 424594-4245e3 call 409f28 GetFileAttributesExW 820 4245e5-4245ea call 4227fc 817->820 821 42463c-42463e 817->821 828 4245ef-4245f1 820->828 822 424640-42464f GetLastError 821->822 823 424671-424673 821->823 822->823 827 424651-424666 call 409f28 call 424548 822->827 825 424675-424679 823->825 826 424698-4246bf call 408e84 call 408e24 823->826 829 424693 825->829 830 42467b-42468a FileTimeToLocalFileTime 825->830 847 424668-42466d 827->847 848 42466f 827->848 828->821 833 4245f3-4245fd call 424fd0 828->833 829->826 830->826 834 42468c-424691 830->834 843 424622-42463b call 409f28 GetFileAttributesExW 833->843 844 4245ff-42461d call 424db0 call 42bbb4 call 40a184 833->844 834->826 843->821 844->843 847->823 848->823
                                                            APIs
                                                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 004245CE
                                                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424631
                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424640
                                                            • FileTimeToLocalFileTime.KERNEL32(?,FB,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424683
                                                              • Part of subcall function 004227FC: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00422849
                                                              • Part of subcall function 004227FC: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000001), ref: 0042287B
                                                              • Part of subcall function 004227FC: CloseHandle.KERNEL32(000000FF,004228C4,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000001), ref: 004228B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Attributes$Time$CloseCreateErrorHandleLastLocal
                                                            • String ID: FB
                                                            • API String ID: 3059364927-3670039715
                                                            • Opcode ID: 084c55364e15af505346aa0fcec3a07071e2199f11905a4858fbf33acedc5931
                                                            • Instruction ID: c1c51cff1122fcdef559ddd5f11acc2f09dee7b976e9a9c955d108d858b7bfa2
                                                            • Opcode Fuzzy Hash: 084c55364e15af505346aa0fcec3a07071e2199f11905a4858fbf33acedc5931
                                                            • Instruction Fuzzy Hash: 0631C971B00228ABDB10EBA5E981BEEB7A9EF85304F95016AF800E7381D77C5E058658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004247A4, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 854 4247a4-4247bd call 409f28 GetFileAttributesW 857 42480e-424818 GetLastError 854->857 858 4247bf-4247c2 854->858 861 42481a-42481d 857->861 862 42482f-424831 857->862 859 424807-42480c 858->859 860 4247c4-4247c6 858->860 864 424835-424838 859->864 865 4247c8-4247ca 860->865 866 4247cc-4247ce 860->866 861->862 863 42481f-424822 861->863 862->864 863->862 867 424824-42482d call 424764 863->867 865->864 868 4247d0-4247d2 866->868 869 4247d4-4247ec CreateFileW 866->869 867->862 874 424833 867->874 868->864 871 4247f8-424805 GetLastError 869->871 872 4247ee-4247f6 CloseHandle 869->872 871->864 872->864 874->864
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 004247B5
                                                            • GetLastError.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 0042480E
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 1799206407-0
                                                            • Opcode ID: 11423a4d9bf119b3a4665024e0baf30563eacf8fdec8ac240d4fb1c256c0a377
                                                            • Instruction ID: df278c05cb5f3b8655f05b97a3e56c02e352920f00e9e136846d1621e0c97303
                                                            • Opcode Fuzzy Hash: 11423a4d9bf119b3a4665024e0baf30563eacf8fdec8ac240d4fb1c256c0a377
                                                            • Instruction Fuzzy Hash: C001D43D3602F064DA3431793C867BA4585CFC67A8FB4191BFB62A72E1D78D4843A16E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424BD8, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 875 424bd8-424bf5 call 409f28 DeleteFileW 878 424bf7-424c07 GetLastError GetFileAttributesW 875->878 879 424c2d-424c33 875->879 880 424c27-424c28 SetLastError 878->880 881 424c09-424c0c 878->881 880->879 881->880 882 424c0e-424c10 881->882 882->880 883 424c12-424c25 call 409f28 RemoveDirectoryW 882->883 883->879
                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BE8
                                                            • GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BF7
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000), ref: 00424BFF
                                                            • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C1A
                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C28
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                            • String ID:
                                                            • API String ID: 2814369299-0
                                                            • Opcode ID: 0605bdfd3c34e5159f7918a983dba767ee52ea09f489b57a14fd5e5a3ae7dc66
                                                            • Instruction ID: 57235278477e78b329d2ce1c3220feee781b43d13fc81f95c73842f3904e5c96
                                                            • Opcode Fuzzy Hash: 0605bdfd3c34e5159f7918a983dba767ee52ea09f489b57a14fd5e5a3ae7dc66
                                                            • Instruction Fuzzy Hash: 03F0A76134365119DA10767F28C1EFE114CC9827AFB510B3BFA51D26E2DD5D4C46415D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0076889C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 886 76889c-768907 call 408f08 * 2 891 768947-768963 call 408e24 886->891 892 768909-768942 call 424db0 call 5a77e0 call 42bbb4 call 424ea8 call 40a184 886->892 897 768965-768967 891->897 898 76896c-76896e 891->898 892->891 897->898 900 768977-76897b 898->900 901 768970-768972 898->901 903 768985-768989 900->903 904 76897d-768980 900->904 901->900 906 768993-768997 903->906 907 76898b-76898e 903->907 904->903 910 7689a1-7689a3 906->910 911 768999-76899c 906->911 907->906 913 7689a5-7689ad call 5c96a4 910->913 914 7689b2-7689e1 call 409f28 * 2 OpenListArchive 910->914 911->910 913->914 922 7689e7-7689ec 914->922 923 768ac2-768ad9 GetLastArchiveError call 5c95c0 call 409204 914->923 924 7689f2-7689f4 922->924 925 768aab-768ac0 CloseListArchive call 408e24 922->925 938 768ade-768b1c 923->938 928 7689f6-768a08 call 409f80 924->928 929 768a0d-768a0f 924->929 925->938 928->929 934 768a11-768a24 call 423c40 929->934 935 768a29-768a2d 929->935 934->935 936 768a2f-768a46 call 423c68 935->936 937 768a4b-768a4f 935->937 936->937 943 768a51-768a68 call 423c68 937->943 944 768a6d-768a71 937->944 943->944 948 768a73-768a9b call 5c9660 call 428aa8 944->948 949 768aa0-768aa5 944->949 948->949 949->924 949->925
                                                            APIs
                                                            • OpenListArchive.MIA.LIB(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D,?,00000000), ref: 007689D5
                                                            • CloseListArchive.MIA.LIB(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D), ref: 00768AAF
                                                              • Part of subcall function 005C9660: FileTimeToLocalFileTime.KERNEL32(00000000,00768B1D,?,?), ref: 005C9677
                                                              • Part of subcall function 005C9660: FileTimeToDosDateTime.KERNEL32 ref: 005C9688
                                                            • GetLastArchiveError.MIA.LIB(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D,?,00000000), ref: 00768AC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Time$File$Archive.List$ArchiveCloseDateError.LastLocalOpen
                                                            • String ID: 0
                                                            • API String ID: 727730911-4108050209
                                                            • Opcode ID: 39598fb801144715d430ed12939dcc739c85c6989a4db3fca13b0d22688b50b9
                                                            • Instruction ID: e403871301572a310c12965a92a8fe37dd2a7e1fb090b3dc838229259ec1f960
                                                            • Opcode Fuzzy Hash: 39598fb801144715d430ed12939dcc739c85c6989a4db3fca13b0d22688b50b9
                                                            • Instruction Fuzzy Hash: 8D811870A00209DFCB01DF99D985ADEBBB6FF48304F54416AF805AB261CB78AD45CF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00595CDC, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFindFirst
                                                            • String ID: \*.*
                                                            • API String ID: 1974802433-1173974218
                                                            • Opcode ID: 3be14c2d8d1d77d037142b6a1f9ff44d141089ae18a6a13563cfbc3b435fd6d6
                                                            • Instruction ID: 1e61872390994e0bab9c5eff1998993cabc17d9ce8fbc3022cf4e5f77fadce7f
                                                            • Opcode Fuzzy Hash: 3be14c2d8d1d77d037142b6a1f9ff44d141089ae18a6a13563cfbc3b435fd6d6
                                                            • Instruction Fuzzy Hash: D4613B74A0462A9BDF61EB65CC4AB8CBBB5BB44304F5041EAF40CB2291EB355F958F09
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047725C, Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SetLastError.KERNEL32(00000000,?,?,?,005A723E,00000000,005A725E,?,?,00000000,?,0082D4AC,?,00000000,0082EED8), ref: 00477263
                                                            • GetTempPathW.KERNEL32(00000104,00000000,00000000,?,?,?,005A723E,00000000,005A725E,?,?,00000000,?,0082D4AC,?,00000000), ref: 00477281
                                                            • GetLongPathNameW.KERNEL32(00000000,00000000,00000000), ref: 00477298
                                                            • GetLongPathNameW.KERNEL32(00000000,00000000,00000000), ref: 004772AB
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Path$LongName$ErrorLastTemp
                                                            • String ID:
                                                            • API String ID: 1475991060-0
                                                            • Opcode ID: c1a9d14916921fc4882005c76447c95ddc0c88a49f784e3c695ba513b2c89dbf
                                                            • Instruction ID: e88bcbabdb9f1ec4bc983cdfe1743da0a5c73edf8f11bfb8c4fa61ea373dfb0a
                                                            • Opcode Fuzzy Hash: c1a9d14916921fc4882005c76447c95ddc0c88a49f784e3c695ba513b2c89dbf
                                                            • Instruction Fuzzy Hash: 0AF03031B0421117E610776B8C82FAB11D8CF82B99F40447FB604EF2D7D8BC8C4542AE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0076839C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1039 76839c-7683a0 1040 7683a5-7683aa 1039->1040 1040->1040 1041 7683ac-76847d call 408f08 * 3 call 40a8ac call 424db0 call 5a77e0 call 42bbb4 call 424ea8 call 40a184 call 5a77e0 call 42bbb4 call 40924c call 408e24 1040->1041 1068 7684d4-7684d6 1041->1068 1069 76847f-7684a9 call 456b80 call 76889c 1041->1069 1071 7684d9-76850f call 40b7d0 1068->1071 1075 7684ae-7684b0 1069->1075 1086 768573-768577 1071->1086 1087 768511 1071->1087 1077 7684b2-7684c7 call 40717c call 4085f0 1075->1077 1078 7684cc-7684d2 1075->1078 1088 7686ba-7686fc call 408e84 * 2 call 40a984 call 408e84 1077->1088 1078->1071 1089 76857d 1086->1089 1090 768579-76857b 1086->1090 1091 768516-76852f 1087->1091 1093 768582-768586 1089->1093 1090->1093 1100 768536-768571 call 4048ec call 409f28 call 5a6614 1091->1100 1101 768531-768534 1091->1101 1095 76858f 1093->1095 1096 768588-76858d 1093->1096 1099 768592-768596 1095->1099 1096->1099 1103 7685aa-7685ad 1099->1103 1104 768598-7685a8 call 5c96a4 1099->1104 1100->1086 1100->1091 1101->1100 1110 7685b0-7685b4 1103->1110 1104->1110 1113 7685c6 1110->1113 1114 7685b6-7685c4 call 5c9630 1110->1114 1115 7685c9-7685cd 1113->1115 1114->1115 1120 7685cf-7685d7 1115->1120 1121 7685d9-7685dc 1115->1121 1123 7685df-768612 call 409f28 * 3 ExtractArchive 1120->1123 1121->1123 1133 768614-76862c GetLastArchiveError call 5c95c0 call 409204 1123->1133 1134 76862e 1123->1134 1135 768632-768637 1133->1135 1134->1135 1137 76864e-76866a call 40b7d0 1135->1137 1138 768639 1135->1138 1147 768674-7686b2 1137->1147 1148 76866c-76866f call 40717c 1137->1148 1140 76863e-76864c call 404908 1138->1140 1140->1137 1147->1088 1148->1147
                                                            APIs
                                                            • ExtractArchive.MIA.LIB(00000000,00000001,00000000,?,00000001,00000000,?,00000000,00000000,00000000), ref: 0076860B
                                                            • GetLastArchiveError.MIA.LIB(00000000,00000001,00000000,?,00000001,00000000,?,00000000,00000000,00000000), ref: 00768614
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ArchiveArchive.Error.ExtractLast
                                                            • String ID: dxD
                                                            • API String ID: 1514603430-650693785
                                                            • Opcode ID: 9167f4d3a05935a17020eb8cb35b6a608bd2706dc96001d593abfc4359c4743e
                                                            • Instruction ID: e79ef44e2278ca16fdd0482ddfc8cc6e64af0794872f75f7ec4b65b490efbfd6
                                                            • Opcode Fuzzy Hash: 9167f4d3a05935a17020eb8cb35b6a608bd2706dc96001d593abfc4359c4743e
                                                            • Instruction Fuzzy Hash: 2AB14C70A002099FDB00DFA9D985BDEBBB5FF48314F10816AF811A7392DB38AD45CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047DB18, Relevance: 4.6, APIs: 3, Instructions: 150registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DB91
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DC07
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0047DC78
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 8b87bbcb1c312638584391afb04638c45478a71692b4e24da6abdee90267953f
                                                            • Instruction ID: 57266824f2d932d1ce5c4895c05120650e97fd81b45d18efe785b2f0bbc7b4cb
                                                            • Opcode Fuzzy Hash: 8b87bbcb1c312638584391afb04638c45478a71692b4e24da6abdee90267953f
                                                            • Instruction Fuzzy Hash: 28514030F10208AFDB12EBA5C942BDEB7F9AF48304F15846EA459E3382D6799F05D749
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408B54, Relevance: 4.6, APIs: 3, Instructions: 92threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408B85
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00408C26
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00408C62
                                                              • Part of subcall function 00408ABC: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AF5
                                                              • Part of subcall function 00408ABC: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AFB
                                                              • Part of subcall function 00408ABC: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?), ref: 00408B16
                                                              • Part of subcall function 00408ABC: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75), ref: 00408B1C
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID:
                                                            • API String ID: 3490077880-0
                                                            • Opcode ID: 10eb5ef3f6e2d49a959dfc251fea70abf38e8027b0972acb9da723768b44e474
                                                            • Instruction ID: 7c56cf2e3186582e7483b00cd751aa50e1ff6530cd52687d5d3be0a2d44efa3c
                                                            • Opcode Fuzzy Hash: 10eb5ef3f6e2d49a959dfc251fea70abf38e8027b0972acb9da723768b44e474
                                                            • Instruction Fuzzy Hash: AF311970604B058AEB21AB798A5971B76F0AB55314F14093FE1C1A33D2DF7CA884CB5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00461CF4, Relevance: 4.6, APIs: 3, Instructions: 76threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(0046169C,00000004,00461694,?,?,?,?,?,?,?,?,?,?,00000000,00461DC8), ref: 00461D6C
                                                            • GetCurrentThread.KERNEL32 ref: 00461DA2
                                                            • GetCurrentThreadId.KERNEL32 ref: 00461DAA
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CurrentThread$ErrorLast
                                                            • String ID:
                                                            • API String ID: 4172138867-0
                                                            • Opcode ID: 46be740d89cc69737b72f33ab050cef0d7a29825237ef2d781c410190c1712a5
                                                            • Instruction ID: d81d373b76c93451c357402c9e60c1bf6b253b3e0664b98a1242fea6a3051ec2
                                                            • Opcode Fuzzy Hash: 46be740d89cc69737b72f33ab050cef0d7a29825237ef2d781c410190c1712a5
                                                            • Instruction Fuzzy Hash: 9F2103709047556EC301DB76CC41AAABBA9BB45304F48852FE850977E1EB7CB814CBAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004062B0, Relevance: 4.6, APIs: 3, Instructions: 69fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000,?,?,00000000,004063A9,0081861A,00000000,008186D2), ref: 0040634C
                                                            • GetStdHandle.KERNEL32(000000F5,?,?,00000000,004063A9,0081861A,00000000,008186D2,?,?,?,00000000,?,0082D52D,00000000,00000000), ref: 0040636C
                                                            • GetLastError.KERNEL32(000000F5,?,?,00000000,004063A9,0081861A,00000000,008186D2,?,?,?,00000000,?,0082D52D,00000000,00000000), ref: 00406380
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateErrorFileHandleLast
                                                            • String ID:
                                                            • API String ID: 1572049330-0
                                                            • Opcode ID: 0ecfb6fcaf6b047c2c800e5ce5bba984b39c90ca47f7306dcbf0570d46417eb6
                                                            • Instruction ID: a368fc4e3039d73de16522235d6a327499955573feef45f3402d5cf96f548e90
                                                            • Opcode Fuzzy Hash: 0ecfb6fcaf6b047c2c800e5ce5bba984b39c90ca47f7306dcbf0570d46417eb6
                                                            • Instruction Fuzzy Hash: DD1105612002008AE724AF58888871B7659EF81314F2AC37BEC0ABF3D5D67DCC5187EE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E88C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0047E8B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID: CommonFilesDir
                                                            • API String ID: 3660427363-2265253956
                                                            • Opcode ID: 251a255d2a67f89b6c844501079f28390cd893444f6671e183e0700de479fd03
                                                            • Instruction ID: 4adf3590c5a9773202cffc0e1bc81eb7fd8e28232d7c0278d08eb1294601ee21
                                                            • Opcode Fuzzy Hash: 251a255d2a67f89b6c844501079f28390cd893444f6671e183e0700de479fd03
                                                            • Instruction Fuzzy Hash: AE015275A00208AFC700EFA9DC81ADAB7A8DB49714F00816AF918D7342D6349E0487A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E294, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,0047E2FC,?,?,CommonFilesDir,00000000,0047E2FC), ref: 0047E2C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID: CommonFilesDir
                                                            • API String ID: 3660427363-2265253956
                                                            • Opcode ID: 3028f5571a06ce3ac170fd1c26d1d7cab3a52f1c5851f32da90a4e8d191c3a6b
                                                            • Instruction ID: d6b6cd4c5dc22c8d45e1f2ef645a66dda0b0fdbf6d8587e89431dd27c8b70314
                                                            • Opcode Fuzzy Hash: 3028f5571a06ce3ac170fd1c26d1d7cab3a52f1c5851f32da90a4e8d191c3a6b
                                                            • Instruction Fuzzy Hash: 59F030767041006FD704EA6E9C81F9B67DCDB88714F10843FB25CD7242D928CC058369
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047D9E4, Relevance: 3.1, APIs: 2, Instructions: 98registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DAF5,?,?,00000000), ref: 0047DA5E
                                                            • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,0047DAF5,?,?,00000000), ref: 0047DA98
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateOpen
                                                            • String ID:
                                                            • API String ID: 436179556-0
                                                            • Opcode ID: 9a1e1138cb2937812503d6dad519492d49e6a590dd7c3e42ad58e0a73a4d9705
                                                            • Instruction ID: 15b4c6f32ebf0bcf6cadd7e3f265dedb114a34a479296194b3a9dab7f0d7ab52
                                                            • Opcode Fuzzy Hash: 9a1e1138cb2937812503d6dad519492d49e6a590dd7c3e42ad58e0a73a4d9705
                                                            • Instruction Fuzzy Hash: 92318130F14208AFDB11EBA5C842BDEB3F9AF48304F5084BAA419E7282D6789F058759
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CBFC, Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0040CD09,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CD92,00000000,?,00000105), ref: 0040CC9D
                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0040CD09,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CD92,00000000,?,00000105), ref: 0040CCC5
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DefaultLanguage$SystemUser
                                                            • String ID:
                                                            • API String ID: 384301227-0
                                                            • Opcode ID: 069904bf99abfa0b83b546b1ed0fe6070e1295d5b798fc899ff7ce37847dbfdb
                                                            • Instruction ID: 5ac65596fced7b910d67bbfefc63cc881f334f4f39f389ce6e4f5fa3aa301617
                                                            • Opcode Fuzzy Hash: 069904bf99abfa0b83b546b1ed0fe6070e1295d5b798fc899ff7ce37847dbfdb
                                                            • Instruction Fuzzy Hash: D9312F30A14209DFDB10EBA9C8C2AAEB7B5EF49304F50467BE404B32D1DB789D419B99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405484, Relevance: 3.1, APIs: 2, Instructions: 61fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,?,00000000,?,0040552D,00000064,00402B50,0000D7B1,?,00000000), ref: 004054AE
                                                            • GetLastError.KERNEL32(?,0040552D,00000064,00402B50,0000D7B1,?,00000000,?,00818654,00000000,00000000,008186D2,?,?,?,00000000), ref: 004054B5
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite
                                                            • String ID:
                                                            • API String ID: 442123175-0
                                                            • Opcode ID: 0144cffe5f4022dbbfa19f28a62694fccd9d9f384b429aeac51538f4cc221b03
                                                            • Instruction ID: 58043fc211e287150baae9057470d61647ca602fe4124a230def75f4c210350d
                                                            • Opcode Fuzzy Hash: 0144cffe5f4022dbbfa19f28a62694fccd9d9f384b429aeac51538f4cc221b03
                                                            • Instruction Fuzzy Hash: FC112E71704508EFCB40DF69D981A9FB7E9EB98314B108477E809EB284E634EE00DF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CD18, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A,?,00000000,0040BB41), ref: 0040CD54
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A), ref: 0040CDA5
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName
                                                            • String ID:
                                                            • API String ID: 1159719554-0
                                                            • Opcode ID: f49f288b91f74fcd056493bfe9f938fb0be1b07c46389491cba556945b7e8bda
                                                            • Instruction ID: f95f1c7a7be229697cbd4194ea68f03b1ad684dc9f70ad0e1a70e9e9ecd67c69
                                                            • Opcode Fuzzy Hash: f49f288b91f74fcd056493bfe9f938fb0be1b07c46389491cba556945b7e8bda
                                                            • Instruction Fuzzy Hash: 7A115130A4421C9BDB14EB50C986BDE77B9DB48304F5145BAB508F32D1DA785F848A99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424B98, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindNextFileW.KERNEL32(?,?,00000001,00596489,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834,?,?), ref: 00424BA3
                                                            • GetLastError.KERNEL32(?,?,00000001,00596489,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834,?,?), ref: 00424BB5
                                                              • Part of subcall function 00424AC0: FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                              • Part of subcall function 00424AC0: FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$DateErrorFindLastLocalNext
                                                            • String ID:
                                                            • API String ID: 2103556486-0
                                                            • Opcode ID: 249219fde11eba4d8f0847427deaa5469a8e1ed67c38deb41bcea90f0b7b4556
                                                            • Instruction ID: 94c3d661e99e19b0cf242ad5cc108513695bb429cd69848a77f49ac234955743
                                                            • Opcode Fuzzy Hash: 249219fde11eba4d8f0847427deaa5469a8e1ed67c38deb41bcea90f0b7b4556
                                                            • Instruction Fuzzy Hash: D6C012E2300100574B40AFF6A8C1A9722CC5E8820535805ABBA15CA307DE1DD4504618
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406778, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDBCSLeadByteEx.KERNEL32(000004E4,?), ref: 00406833
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteLead
                                                            • String ID:
                                                            • API String ID: 535570690-0
                                                            • Opcode ID: 2f1cb644fb499c63dc5b30d7fec0a20aa9a1c674713672119258b17d28bc32fe
                                                            • Instruction ID: 90b6fd22d809609ea3004cdd2524d420e27ac6550840b70b8a809d14a669ba94
                                                            • Opcode Fuzzy Hash: 2f1cb644fb499c63dc5b30d7fec0a20aa9a1c674713672119258b17d28bc32fe
                                                            • Instruction Fuzzy Hash: 93317C35904184DFDB00D7A8C289BEE7BF1AB11300F1A40F6E845BB2C3D2799F59A715
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047DB14, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DB91
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 00dcda4b3357fe27e592dec70060977e4b8871651b2a585f5acb668b467a1053
                                                            • Instruction ID: f23ec4b5702853a7ea5987bf2f7fdd18b2bb3f750e5d560e0cf6f6033a68423a
                                                            • Opcode Fuzzy Hash: 00dcda4b3357fe27e592dec70060977e4b8871651b2a585f5acb668b467a1053
                                                            • Instruction Fuzzy Hash: 4821A330F14204AFDB12EB65C952BDEB7F99F48304F2184BEA409E3682D6789E059749
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00451E48, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceW.KERNEL32(00000000,00000000,0000000A,00000000,?,00000000,?,?,00452014,00000000,0045202C,?,0000FFA4,00000000,00000000), ref: 00451E6A
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindResource
                                                            • String ID:
                                                            • API String ID: 1635176832-0
                                                            • Opcode ID: 4159ebc1ff9f4fa63e2dc2a99cbc1145e40678475c0226c159b9e0146ed05156
                                                            • Instruction ID: d8758b5084b721e2e7b8f07ffa62b5cfea11b7d3667cb77975f3ea63007917f4
                                                            • Opcode Fuzzy Hash: 4159ebc1ff9f4fa63e2dc2a99cbc1145e40678475c0226c159b9e0146ed05156
                                                            • Instruction Fuzzy Hash: 8801D4313083006BD700DF66EC82E6BB7EDEB89719711047AFD00D7292DA7A9C049658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E93C, Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047E9C2), ref: 0047E9A7
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: d175568d259705272e6aa47e86a25d25f43ae7f404f24f7bcc6ed7cf32099ec8
                                                            • Instruction ID: 6c2b064bdfea16977048b204395c2f05d037ce64966bcf41a7dd1988fe17c46e
                                                            • Opcode Fuzzy Hash: d175568d259705272e6aa47e86a25d25f43ae7f404f24f7bcc6ed7cf32099ec8
                                                            • Instruction Fuzzy Hash: 2701B971B00608AFD700EB66C852ADE73ECDB4C304F5040BAB509E3292EA389E048658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408CE0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: 29575488970f715b17986a15caf58521d83e83b8c7794ca887fe32ca52364b9b
                                                            • Instruction ID: ef301df739cc694c572c5ee0b50773967ece18fc2577e6befe398edb865a9ec1
                                                            • Opcode Fuzzy Hash: 29575488970f715b17986a15caf58521d83e83b8c7794ca887fe32ca52364b9b
                                                            • Instruction Fuzzy Hash: A6015E72B04214AFDB41DB9D9884B4AB7ECAB98360F10817AF548E73D1DA749D408B68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408790, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00000000,004087DE,?,00841054,00843B18,00000000,?,00408BF6,?,?,?,?,00408C8A,004049FB,00404A42), ref: 004087CE
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 669d9c16f68d7d69e55c837bd1127b50049780d4758f6d47d6ce2fb4150e7957
                                                            • Instruction ID: 3416b5ca3d522f064810a6436f6233d91ae6f526f1053d7af4a84366dc213eb1
                                                            • Opcode Fuzzy Hash: 669d9c16f68d7d69e55c837bd1127b50049780d4758f6d47d6ce2fb4150e7957
                                                            • Instruction Fuzzy Hash: 0BF09036205B159ED3214F1AAE80A13FBECF749760BB5413FD844A3B96DA349800C6A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423014, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,?,00000001,0042C450,00000000,0042C3AF,?,00000000,0042C40D), ref: 0042304B
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID:
                                                            • API String ID: 1825529933-0
                                                            • Opcode ID: 1367ec480eb4cb0b958e952430911fc2e6c6f941ff26b9b5787ef9433decb0e0
                                                            • Instruction ID: 7d4b6c6e5e0bed3a7d05330ec8cb189f96d8e7c295e251969e5bd50bfcc166b6
                                                            • Opcode Fuzzy Hash: 1367ec480eb4cb0b958e952430911fc2e6c6f941ff26b9b5787ef9433decb0e0
                                                            • Instruction Fuzzy Hash: 70E0D8B37413652BE92099AE5CC1FB7669CCB897A6B05017AFF04F7346C9595C0141B4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0059EC3C, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,0059EC8D,?,00000001,?,?,0082DB80,?,mia,.res,00000000,00000000,00000000,?,00000000), ref: 0059EC63
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 4fcf3b4a5b7900d620859b366189a173618c0baed1ed45520c03ae6a57b3418a
                                                            • Instruction ID: 270be10a341e33f11dd85db8b8dc784368f0353ba6e026200a026ced54a91c08
                                                            • Opcode Fuzzy Hash: 4fcf3b4a5b7900d620859b366189a173618c0baed1ed45520c03ae6a57b3418a
                                                            • Instruction Fuzzy Hash: AEF0E530604208FEDF44EB79CE53CAD7BECFB097187A0097AF450E26E1D6396E04A518
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004246D0, Relevance: 1.5, APIs: 1, Instructions: 31timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00424594: GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 004245CE
                                                              • Part of subcall function 00424594: GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424631
                                                              • Part of subcall function 00424594: GetLastError.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424640
                                                              • Part of subcall function 00424594: FileTimeToLocalFileTime.KERNEL32(?,FB,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424683
                                                            • FileTimeToDosDateTime.KERNEL32 ref: 004246F9
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Time$Attributes$DateErrorLastLocal
                                                            • String ID:
                                                            • API String ID: 663141457-0
                                                            • Opcode ID: 277bbfe9d65a59bbddf6dd17e79c36de28946aecbf085cc2aac3b5beac8cee4c
                                                            • Instruction ID: e04da985f904ea9dfe94d092605b8332e34c08d2116ba371cb577d0f9109872a
                                                            • Opcode Fuzzy Hash: 277bbfe9d65a59bbddf6dd17e79c36de28946aecbf085cc2aac3b5beac8cee4c
                                                            • Instruction Fuzzy Hash: 5FF0E535A0020DA78F10CED898808DEB3A8DA86328F604793E934E7281EB369F049794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040BAD4, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,0000020A,?,00000000,0040BB41,0041E298,0041E29C,?,0040D5A0), ref: 0040BAF2
                                                              • Part of subcall function 0040CD18: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A,?,00000000,0040BB41), ref: 0040CD54
                                                              • Part of subcall function 0040CD18: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A), ref: 0040CDA5
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileModuleName$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 4113206344-0
                                                            • Opcode ID: e9047e7e718f9a5106684697ebfde9e3f407d95ad0ce6d1c0455f8f31703f4f1
                                                            • Instruction ID: a88651896b0ed3a23ea67229964229f1848bdffbb32de574980f9bf0ab694c8b
                                                            • Opcode Fuzzy Hash: e9047e7e718f9a5106684697ebfde9e3f407d95ad0ce6d1c0455f8f31703f4f1
                                                            • Instruction Fuzzy Hash: 01E0C971A003109BDB10DE58C9C5A5637A4AF49754F044666AD14EF38AD375D91087D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004250E4, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000001,004249D2,00000000,004249F7,?,?,00000000,00000000,00000000,00000000,?,0082D4D3,?,00000000), ref: 004250F1
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateDirectory
                                                            • String ID:
                                                            • API String ID: 4241100979-0
                                                            • Opcode ID: 383a688f34737a12b868ed746cb1ae341d81b257cb3ad43e14afc6877cde684f
                                                            • Instruction ID: 8f43151b22b1469bfb9e70a166b3f2c49ff5d4be4b49b84714ba4ddc6eb884e8
                                                            • Opcode Fuzzy Hash: 383a688f34737a12b868ed746cb1ae341d81b257cb3ad43e14afc6877cde684f
                                                            • Instruction Fuzzy Hash: 4CB092A27942402AEA0036BA0CC2B6A00CDD79860AF10083AB602D6193E47AC8440014
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040717C, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00408BE6,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00407184
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 6a3c7b9f1797a488de21e861749322422cbf90c3622f26d40c67571f13affa8d
                                                            • Instruction ID: 41ba22d18321cb76633606a16cf5ad3b717cdc5a2f3560622911eff0241e057f
                                                            • Opcode Fuzzy Hash: 6a3c7b9f1797a488de21e861749322422cbf90c3622f26d40c67571f13affa8d
                                                            • Instruction Fuzzy Hash: 34B01270A000415BCE008A11C54C4557B515B5130C31000A4C8018F3D0CE27A804C701
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00464CE8, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,00000000,00000000,?,?,0058503C,005874F0,?,00000000,0058512B,?,00000000,?), ref: 00464D06
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 09c544327ed3e2257745a0b1e5b614fcc5909a1661039ce2c3f127fb09c38e11
                                                            • Instruction ID: 414783f545f013a41a00390d3318c56245cd632fceaf0a69517d536ab90c3cc3
                                                            • Opcode Fuzzy Hash: 09c544327ed3e2257745a0b1e5b614fcc5909a1661039ce2c3f127fb09c38e11
                                                            • Instruction Fuzzy Hash: 85115E746007058BC710DF1AD880B42FBE5FF89750F10C53AEA598B385E374E915CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403144, Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00403757), ref: 0040315A
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: f216b6ceb9f08cfb8ecaa4418ae988c501d28e156bbf7e1e539a0e26d76dff0d
                                                            • Instruction ID: eaab0908dca398bdff0d631121814ce98026ab15d171e95ea26a12bb78313901
                                                            • Opcode Fuzzy Hash: f216b6ceb9f08cfb8ecaa4418ae988c501d28e156bbf7e1e539a0e26d76dff0d
                                                            • Instruction Fuzzy Hash: 1EF04FB5B422004BDB14CF798D49302BAD6B78A305F10817EE509DB79CDB748446CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0040C434, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 151stringlibraryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000), ref: 0040C451
                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040C462
                                                            • lstrcpynW.KERNEL32(?,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105), ref: 0040C492
                                                            • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 0040C501
                                                            • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001), ref: 0040C549
                                                            • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830), ref: 0040C55C
                                                            • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000), ref: 0040C572
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F), ref: 0040C57E
                                                            • lstrcpynW.KERNEL32(0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?), ref: 0040C5BA
                                                            • lstrlenW.KERNEL32(?,0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298), ref: 0040C5C6
                                                            • lstrcpynW.KERNEL32(?,0000005C,?,?,0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 0040C5E9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                            • API String ID: 3245196872-3908791685
                                                            • Opcode ID: b04ba5caedf144eeb875c5d634dacea720d2e9b1876c80ca577194fcfae269f7
                                                            • Instruction ID: 76c12ef7d0d67687ef3a7bd8e91ca30b501443e14e09bb49bd729650117b71ee
                                                            • Opcode Fuzzy Hash: b04ba5caedf144eeb875c5d634dacea720d2e9b1876c80ca577194fcfae269f7
                                                            • Instruction Fuzzy Hash: 1A517476900228EBCB10EB94CDC5ADE73BCAF44314F1446B6A505F72C1E678EE409B59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007942A8, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 260fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB,?,?,?,?,00000000,00000000), ref: 00794367
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB,?,?,?,?,00000000), ref: 00794379
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 00794536
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 00794547
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 0079455C
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 0079456E
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000), ref: 0079466A
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000), ref: 0079467B
                                                              • Part of subcall function 007942A8: FindClose.KERNEL32(000000FF), ref: 0079448A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$Close$File$FirstNext
                                                            • String ID: $IGNORE$$*.*$dxD
                                                            • API String ID: 3527384056-1668806599
                                                            • Opcode ID: 0ca9cdae76652d41ac622ccf3a5bcac9f3a953c23b400b37e8c6532243a88ea4
                                                            • Instruction ID: e1b80d9ff527bd2dbf90f37abcf2fb7d5bc5ee44b63da5edd6403852173e2c8f
                                                            • Opcode Fuzzy Hash: 0ca9cdae76652d41ac622ccf3a5bcac9f3a953c23b400b37e8c6532243a88ea4
                                                            • Instruction Fuzzy Hash: E0B16E74A0421A9FCF20EBA5D889FDDB3B5EF45304F1041E6E508A7291DB38AE86CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00794724, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 219fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920,00000000), ref: 007947B6
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920), ref: 007947C8
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E), ref: 0079496C
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001), ref: 0079497D
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000), ref: 00794992
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000), ref: 007949A4
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053), ref: 00794A4A
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B), ref: 00794A5B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFile$FirstNext
                                                            • String ID: *.*$dxD
                                                            • API String ID: 1164774033-3064973229
                                                            • Opcode ID: 48861e728c33fcb31fb06544e2d3f24791516a9b7d6b355fd16156afaa90fea4
                                                            • Instruction ID: ff152c514afcea9cfc9e838b5402cdfe4aa7c3f6c782aca87fd93a1163c2126f
                                                            • Opcode Fuzzy Hash: 48861e728c33fcb31fb06544e2d3f24791516a9b7d6b355fd16156afaa90fea4
                                                            • Instruction Fuzzy Hash: 1591417490421E9FCF20EBA5D889EDDB7B5EF44308F1041E9E508A7291DB38AE86CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00596518, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 182fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005965A2
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005965B4
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005966BD
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000), ref: 005966CE
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000), ref: 005966E3
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000), ref: 005966F5
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000), ref: 0059679B
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000), ref: 005967AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFile$FirstNext
                                                            • String ID: *.*$dxD
                                                            • API String ID: 1164774033-3064973229
                                                            • Opcode ID: 923b812e680f5dd07e6239f800a0fc17d47a8c003e3a36ed88f83db44a91d92a
                                                            • Instruction ID: 36c3d6617cd4af2a79d1d750f7a8f62ae953cbc5bd5202a4d3b83fbe1fa0981b
                                                            • Opcode Fuzzy Hash: 923b812e680f5dd07e6239f800a0fc17d47a8c003e3a36ed88f83db44a91d92a
                                                            • Instruction Fuzzy Hash: 8371527490421E9FCF10EBA5C889ADDBBB9FF44308F1041E6E508A7295DB34AE89CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00794720, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920,00000000), ref: 007947B6
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920), ref: 007947C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID: *.*$dxD
                                                            • API String ID: 2295610775-3064973229
                                                            • Opcode ID: f2b3fefebb37129a0a1e6f182d7a70ee6f754dab094e66b77317f835a39bf437
                                                            • Instruction ID: 1a731755e4436f46a0472c1f2d3eaa4540c5553183ac843544b75001628e15ed
                                                            • Opcode Fuzzy Hash: f2b3fefebb37129a0a1e6f182d7a70ee6f754dab094e66b77317f835a39bf437
                                                            • Instruction Fuzzy Hash: 61217F70904249AFDF11EBA4DC86EDEB7B8EF45304F5085AAE504A3291DB385E46CB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412E5C, Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 132libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(PSAPI.dll,00000000,0041334D,00000000,00000000,00000000,?,00422706,00000104,00000000,0042275A,?,000003EE,00000004,00000000,00000000), ref: 00412E70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
                                                            • API String ID: 1029625771-2267155864
                                                            • Opcode ID: 6bac1b2b4a319ff33ccb8e8104650400bc02deb93b4b18c6396d2ce78b5e6f7a
                                                            • Instruction ID: e8ef9a16514465b5e6b2cf852d3bc01d448d5d354a81a289e54fbc754b55e648
                                                            • Opcode Fuzzy Hash: 6bac1b2b4a319ff33ccb8e8104650400bc02deb93b4b18c6396d2ce78b5e6f7a
                                                            • Instruction Fuzzy Hash: 6D41FAB8A40318AF9F00EFB69CC6A9537A8BB06705710056FB514DF3A4DA78DA81CB1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C2F0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000,00000000), ref: 0040C30E
                                                            • LeaveCriticalSection.KERNEL32(00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000), ref: 0040C332
                                                            • LeaveCriticalSection.KERNEL32(00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000), ref: 0040C341
                                                            • IsValidLocale.KERNEL32(00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09), ref: 0040C353
                                                            • EnterCriticalSection.KERNEL32(00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09), ref: 0040C3B0
                                                            • lstrcpynW.KERNEL32(en-US,en,,00000000,000000AA,00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA), ref: 0040C3CE
                                                            • LeaveCriticalSection.KERNEL32(00843B88,en-US,en,,00000000,000000AA,00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000), ref: 0040C3D8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
                                                            • String ID: en-US,en,
                                                            • API String ID: 1058953229-3579323720
                                                            • Opcode ID: 633940988bd0bd6c9b287c41c329676b3fc209daa88bbceb5542c180f6a54ac6
                                                            • Instruction ID: 840befadd27682b71f7f5cd4a757e932a44a81a62cff2673ef979b7a35d4f3a5
                                                            • Opcode Fuzzy Hash: 633940988bd0bd6c9b287c41c329676b3fc209daa88bbceb5542c180f6a54ac6
                                                            • Instruction Fuzzy Hash: 8421D834354708A7D7147BA68D57B1E3294EF85758F50453FB840F63D2CABC9D01929E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408ABC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AF5
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AFB
                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?), ref: 00408B16
                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75), ref: 00408B1C
                                                            • MessageBoxA.USER32 ref: 00408B3A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleWrite$Message
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 1570097196-2970929446
                                                            • Opcode ID: d55f0b3ec2b3309b3ec7c4b4bf2282798b450c2c57fb01e50abc9738b356a3b2
                                                            • Instruction ID: 883d27b1f089570435a1ec32665e41e73b0e3fe465dedc934fa18f7fcc10b570
                                                            • Opcode Fuzzy Hash: d55f0b3ec2b3309b3ec7c4b4bf2282798b450c2c57fb01e50abc9738b356a3b2
                                                            • Instruction Fuzzy Hash: 98F0A4A1A8024035FE107BA55E1EF56366CA751B19F10463FB160B56D2CABC68C4C619
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004039D8, Relevance: 10.9, APIs: 7, Instructions: 407COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff865de398dabf03235835d6a03df8d6bd4440262de3a292e4e093a064290b02
                                                            • Instruction ID: 06de5c44b1e8d66e5792396b36ef80cda03d3281113913fe30758daa7217e7fe
                                                            • Opcode Fuzzy Hash: ff865de398dabf03235835d6a03df8d6bd4440262de3a292e4e093a064290b02
                                                            • Instruction Fuzzy Hash: 3EC14A627106000BE714AE7D9D8972EBA8D9BC5326F18823FF144EB3D6DA7CDE458348
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407B44, Relevance: 10.6, APIs: 7, Instructions: 132threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00407F3C: GetCurrentThreadId.KERNEL32 ref: 00407F3F
                                                            • GetTickCount.KERNEL32 ref: 00407B7B
                                                            • GetTickCount.KERNEL32 ref: 00407B8D
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407BC0
                                                            • GetTickCount.KERNEL32 ref: 00407BE7
                                                            • GetTickCount.KERNEL32 ref: 00407C21
                                                            • GetTickCount.KERNEL32 ref: 00407C4B
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407CC1
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountTick$CurrentThread
                                                            • String ID:
                                                            • API String ID: 3968769311-0
                                                            • Opcode ID: 5369a3ff8cf9b08d90c4e116274b425cc6b0c131ff5b93987916801eede752e2
                                                            • Instruction ID: 505cc0ca4ebae022a0f1ed319f5fc283f6d826263fe70601ac970ffa21443408
                                                            • Opcode Fuzzy Hash: 5369a3ff8cf9b08d90c4e116274b425cc6b0c131ff5b93987916801eede752e2
                                                            • Instruction Fuzzy Hash: 88418F30A0C3444AE720AE7CC58832F7BD1AB85344F15893FE4D4A73C2DABCA881975B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A6F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(shfolder.dll,00000000,005A6FF3), ref: 005A6F30
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            • GetDesktopWindow.USER32 ref: 005A6F69
                                                            • GetShortPathNameW.KERNEL32 ref: 005A6F96
                                                            • FreeLibrary.KERNEL32(00000000,00000000,SHGetFolderPathW,shfolder.dll,00000000,005A6FF3), ref: 005A6FD0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressDesktopFreeLoadNamePathProcShortWindow
                                                            • String ID: SHGetFolderPathW$shfolder.dll
                                                            • API String ID: 190074832-3387970553
                                                            • Opcode ID: 31a51a6c87f614c9f7c1187207f5dc5a0d7fce9b88a45971a8966e53014efcb9
                                                            • Instruction ID: ec3bacc96b391dfa64664bada29a1a1cad6acc7f1103c9f38b08fc0397cb3db3
                                                            • Opcode Fuzzy Hash: 31a51a6c87f614c9f7c1187207f5dc5a0d7fce9b88a45971a8966e53014efcb9
                                                            • Instruction Fuzzy Hash: 7021C775E4420AAFCB00EBA5DC51AAEBBB8FF46704F14447AF504F7294DB349E008B58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407900, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,00000001), ref: 00407916
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040791C
                                                            • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation,00000001), ref: 00407938
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: GetLogicalProcessorInformation$kernel32.dll$k
                                                            • API String ID: 4275029093-3824636038
                                                            • Opcode ID: bc1493411cf7a1fdcbc33e286c73cc8e5e4d51c8ea2d0e9cf86bcd57a426165a
                                                            • Instruction ID: 3ef7fc8a316c6a40be9ae1a577b33141ba89fc8532ffa234138abc26abf6d127
                                                            • Opcode Fuzzy Hash: bc1493411cf7a1fdcbc33e286c73cc8e5e4d51c8ea2d0e9cf86bcd57a426165a
                                                            • Instruction Fuzzy Hash: 72116AB1D0C204AEFB10EBA5DE45B5EB7A9EB44314F20447BE404B22C2D67DB940D66E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004225AC, Relevance: 9.2, APIs: 6, Instructions: 161fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileSize.KERNEL32(?,?), ref: 00422609
                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000001,00000000,?,?), ref: 0042269F
                                                            • MapViewOfFile.KERNEL32(000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000,00000001,00000000,?), ref: 004226CE
                                                            • GetCurrentProcess.KERNEL32(00000104,00000000,0042275A,?,000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000), ref: 004226F3
                                                            • UnmapViewOfFile.KERNEL32(00000000,00422761,?,000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000,00000001), ref: 00422754
                                                              • Part of subcall function 00422390: GetLogicalDriveStringsW.KERNEL32(00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223CD
                                                              • Part of subcall function 00422390: QueryDosDeviceW.KERNEL32(?,?,00000104,00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223F7
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$View$CreateCurrentDeviceDriveLogicalMappingProcessQuerySizeStringsUnmap
                                                            • String ID:
                                                            • API String ID: 435433801-0
                                                            • Opcode ID: 73ae006de74c5a6efbfeb4249140766e4eca8248ed6ba63f726dbea61ff99326
                                                            • Instruction ID: 4187adb91f966debfcf9f471d10a7bce2dda35d7e6eeff07d021d263234a0034
                                                            • Opcode Fuzzy Hash: 73ae006de74c5a6efbfeb4249140766e4eca8248ed6ba63f726dbea61ff99326
                                                            • Instruction Fuzzy Hash: 88518F70B04219BFDB10EFA5D985B9EB7B5EB48304F9044EAE504A7291D7B89E80CF58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00768D4C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 231fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNEL32(00000000,?,?,?,00000000,00000000,0000000B,00000000,00000000,00000001,?,007D984A,00000000,007D98E0), ref: 00768E99
                                                              • Part of subcall function 00424BD8: DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BE8
                                                              • Part of subcall function 00424BD8: GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BF7
                                                              • Part of subcall function 00424BD8: GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000), ref: 00424BFF
                                                              • Part of subcall function 00424BD8: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C1A
                                                            • MoveFileW.KERNEL32(00000000), ref: 00768F33
                                                              • Part of subcall function 0040717C: KiUserCallbackDispatcher.NTDLL(00408BE6,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00407184
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Attributes$CallbackDeleteDirectoryDispatcherErrorLastMoveRemoveUser
                                                            • String ID: *.*
                                                            • API String ID: 691102307-438819550
                                                            • Opcode ID: 67e84289ecff61f33034e0fd06d8d97b73431112671c936c531bd7e4000b6789
                                                            • Instruction ID: 0fa0777bf0979ef0c8522848ad50890eb5ff942d969ead750916ebb87b8794d9
                                                            • Opcode Fuzzy Hash: 67e84289ecff61f33034e0fd06d8d97b73431112671c936c531bd7e4000b6789
                                                            • Instruction Fuzzy Hash: 4691FC30A0010EAFDF01EBA9D845ACDB7B5FF58304F50856AF805B72A5DB35AE05CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0043446C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID: |>C
                                                            • API String ID: 1473721057-213533553
                                                            • Opcode ID: f77f160c4784674292fd838c38f5d47e98ced0e3141dfb1bc3a2e06e65c17674
                                                            • Instruction ID: 20914c188d6625644210769ee22846e9ff66e0570ff4a8d1b76d358979a87ea4
                                                            • Opcode Fuzzy Hash: f77f160c4784674292fd838c38f5d47e98ced0e3141dfb1bc3a2e06e65c17674
                                                            • Instruction Fuzzy Hash: 3D01D46070421086DB10AB25DA857E632985FAD308F20357BB0469B253CB7CFC46D76F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007DBD68, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D6E80: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 007D6E80: GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,?,?,00794AFA), ref: 007DBD90
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HandleModule$AddressCurrentProcProcess
                                                            • String ID: Win32$Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 4003494863-80893164
                                                            • Opcode ID: 08872e14f903e4fc870fbfef4b6a36aa4199ea15be0b445078baef3c9e14c768
                                                            • Instruction ID: b85d9e4078d9ce42f5daec457a4bd7b584622aa0e684e5eccdb4b4bfda696b28
                                                            • Opcode Fuzzy Hash: 08872e14f903e4fc870fbfef4b6a36aa4199ea15be0b445078baef3c9e14c768
                                                            • Instruction Fuzzy Hash: 30E02B20B41350E5CE10A7B598167A507B61E4DF8870A0427FD80A73D3DB5CCC0159E8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007DBE3C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D6E80: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 007D6E80: GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,?,?,00794B5A,00794B62), ref: 007DBE64
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HandleModule$AddressCurrentProcProcess
                                                            • String ID: Win32$Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 4003494863-74661203
                                                            • Opcode ID: 4b5169e114a068f3f1820069252d1bfd3dd91b72d2f48b51fada0d1a3b731179
                                                            • Instruction ID: 5d07d555bf60436f01e20604474d777d017adacec3ea30256a2cc30a8457dad9
                                                            • Opcode Fuzzy Hash: 4b5169e114a068f3f1820069252d1bfd3dd91b72d2f48b51fada0d1a3b731179
                                                            • Instruction Fuzzy Hash: CDF0E561A013B0D5CE2063795815EE21FB82B45748F0A0927BF8097793D72CCC0D82A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007D6E80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            • GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressCurrentHandleModuleProcProcess
                                                            • String ID: IsWow64Process$kernel32
                                                            • API String ID: 4190356694-3789238822
                                                            • Opcode ID: fbfa8b9be56232b2a7a050497b9336513c0f72992db566346c55723fb6780570
                                                            • Instruction ID: 8f20da8456057496d7b22a05698da9075f8360932483dc278fb67f6f45ead45b
                                                            • Opcode Fuzzy Hash: fbfa8b9be56232b2a7a050497b9336513c0f72992db566346c55723fb6780570
                                                            • Instruction Fuzzy Hash: 7FE012BE7647436E6E0077F79C82D6B17AC9A90359710093BF540D0252EAADC855102D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C1D4, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C1E5
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040C243
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040C2A0
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040C2D3
                                                              • Part of subcall function 0040C190: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040C251), ref: 0040C1A7
                                                              • Part of subcall function 0040C190: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040C251), ref: 0040C1C4
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Thread$LanguagesPreferred$Language
                                                            • String ID:
                                                            • API String ID: 2255706666-0
                                                            • Opcode ID: bc24a83227e15b380631f55bd2f426ee2f9d90468bb3ecff20a5d0c17074213b
                                                            • Instruction ID: 5adc0bea2c8af2d65c5d3e99b3eb73bb67b06f85e1b4683f9ecad5d3c1eab476
                                                            • Opcode Fuzzy Hash: bc24a83227e15b380631f55bd2f426ee2f9d90468bb3ecff20a5d0c17074213b
                                                            • Instruction Fuzzy Hash: 42310A70E0021ADBDB10EBE9C885AAFB7B8FF48314F4046BAE551F7295D7789A04CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424AC0, Relevance: 6.1, APIs: 4, Instructions: 55timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindNextFileW.KERNEL32(?,?), ref: 00424AD1
                                                            • GetLastError.KERNEL32(?,?), ref: 00424ADA
                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                            • FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$DateErrorFindLastLocalNext
                                                            • String ID:
                                                            • API String ID: 2103556486-0
                                                            • Opcode ID: 9609eb00e04a689bd71bdebf9600531a51fed77c8bea1292b3844d585f781882
                                                            • Instruction ID: fe6fac3a6ac03b6b4440619cae4f2eff92646066b65c4be4ccf9c54d9b613497
                                                            • Opcode Fuzzy Hash: 9609eb00e04a689bd71bdebf9600531a51fed77c8bea1292b3844d585f781882
                                                            • Instruction Fuzzy Hash: 5411ADB1700100AFDB44DF69C8C199777ECEF8834475485ABED04CB24EE638DC018BA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004580E4, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceW.KERNEL32(00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?,?,00000000,?,00451E89), ref: 004580FB
                                                            • LoadResource.KERNEL32(00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?,?,00000000), ref: 00458115
                                                            • SizeofResource.KERNEL32(00000000,00458180,00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?), ref: 0045812F
                                                            • LockResource.KERNEL32(00456D84,00000000,00000000,00458180,00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000), ref: 00458139
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: 414d090d51e5c97bb2d7871269b0df026c3f90b3cc5e867df6ac2b737ce49eed
                                                            • Instruction ID: ade0e4e0a8cbb3b7b760c1b632ec3f7ae6df1f7590847d81dfa81050c3fea11b
                                                            • Opcode Fuzzy Hash: 414d090d51e5c97bb2d7871269b0df026c3f90b3cc5e867df6ac2b737ce49eed
                                                            • Instruction Fuzzy Hash: 95F04BB26056046F4B44EF6EA881DAB77DCEE88265314016FFE18D7203EE39DD058378
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004059B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: oY@$X(
                                                            • API String ID: 0-2454232136
                                                            • Opcode ID: a3635da41d6ada84ed8f10af34513a83174d4b8c9a070eb1340295e14fa243af
                                                            • Instruction ID: 657c74bf76a079fdf93a688482b863b4ef09bc5b766970fd558e04562a456c78
                                                            • Opcode Fuzzy Hash: a3635da41d6ada84ed8f10af34513a83174d4b8c9a070eb1340295e14fa243af
                                                            • Instruction Fuzzy Hash: F351D431A045A88BCB11DB69C4957AF7BB4DF51304F0801BB9885BB2C7D63C9E05DFA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424358, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0042483C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            • GetVolumeInformationW.KERNEL32(00000000,?,00000104,?,?,?,?,00000104,00000000,0042448C,?,00000000,?), ref: 004243F3
                                                            • GetDriveTypeW.KERNEL32(00000000), ref: 00424418
                                                              • Part of subcall function 004247A4: GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 004247B5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile$DriveInformationTypeVolume
                                                            • String ID: d5A
                                                            • API String ID: 2660071179-326437214
                                                            • Opcode ID: 2fa643a2496d0fd72efea3c911f6a909d600cda9c01ece4b0853edc21ea82aae
                                                            • Instruction ID: bd563c539b1aab59f9bd9d3b06265d9c66015eb71dfd5a6194938a33824a214f
                                                            • Opcode Fuzzy Hash: 2fa643a2496d0fd72efea3c911f6a909d600cda9c01ece4b0853edc21ea82aae
                                                            • Instruction Fuzzy Hash: CE31D870B002285ADB11FB55E8427DD77A8EF84708FC441ABE904A3292DB3C5F45DE5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00434D0C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantCopy.OLEAUT32 ref: 00434D2D
                                                              • Part of subcall function 0043446C: VariantClear.OLEAUT32 ref: 0043447B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Variant$ClearCopy
                                                            • String ID: |>C
                                                            • API String ID: 274517740-213533553
                                                            • Opcode ID: 8771a4346e2b20afc04fff4dabda3d31eb32952cc78d6270db85b0f1906f051e
                                                            • Instruction ID: 6a0268472f155fb589513e0d0a9dd18b4d2ee9e8d712b2481dc583d533d54a34
                                                            • Opcode Fuzzy Hash: 8771a4346e2b20afc04fff4dabda3d31eb32952cc78d6270db85b0f1906f051e
                                                            • Instruction Fuzzy Hash: 9B21743030021097DB31AF29E4815E777E69FCD750F10A46BE84A8B356DA3CEC82C66E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004224C8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL,NtQueryObject,00000000,00000000), ref: 004224EE
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: NTDLL.DLL$NtQueryObject
                                                            • API String ID: 1646373207-3865875859
                                                            • Opcode ID: 39398ca4bf87bed804ca7380330e155dc5bba8e055c56731faf510cc40fa8a3d
                                                            • Instruction ID: 9e746bf49908d423d3971de1d80f05601bd15af5f2909352a40ec1968959bb51
                                                            • Opcode Fuzzy Hash: 39398ca4bf87bed804ca7380330e155dc5bba8e055c56731faf510cc40fa8a3d
                                                            • Instruction Fuzzy Hash: B511D075B04218BFDB10EB69ED42B9A77A9F748704F908166F504E2690D7B9AF80C64C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00727788, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 007277C9
                                                            • EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,00727CFF,?,?,?,00000000,00000000,?,0079430B,00000000,00000000,00000064,00000000), ref: 007277E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountCriticalEnterSectionTick
                                                            • String ID: MYAH_LastDelegateTick
                                                            • API String ID: 3768448988-2068939020
                                                            • Opcode ID: f31822922213138ce3fe090be8c89be9b548e68764eb31a017cd2d7e69c75ab1
                                                            • Instruction ID: 95fd4d6d8b0e3682352c819f8c199af7319d83189056b2244fd3ddde9cc2d5dd
                                                            • Opcode Fuzzy Hash: f31822922213138ce3fe090be8c89be9b548e68764eb31a017cd2d7e69c75ab1
                                                            • Instruction Fuzzy Hash: 7B119A74A00318AFDB04DBA9DD52E9DB7F9FB89704F504476F804E7391DA38AE00CA10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00430448, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetACP.KERNEL32(0047861C,00000000), ref: 00430464
                                                            • GetCPInfo.KERNEL32(00430548,?,0047861C,00000000), ref: 00430485
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID: L.A
                                                            • API String ID: 1807457897-2350765468
                                                            • Opcode ID: f1b999f04b8e8a33df948de643add4a0adb174aea7c6854597c24c0f6f97d03b
                                                            • Instruction ID: 72b6eb4a1d13dc2dce76246ebe218213dd2c0921c4328f3486b9e526878d4afa
                                                            • Opcode Fuzzy Hash: f1b999f04b8e8a33df948de643add4a0adb174aea7c6854597c24c0f6f97d03b
                                                            • Instruction Fuzzy Hash: 2C014972A017058FC320EF69C541997B7E4AF18360B00863FFD95C3361EA39E9008BAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00595640, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,005956AB,?,00000001,00000001,00000000,?,005957A1,00000000,005957C6,?,00000000,00000000,00000000), ref: 00595661
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,005956AB,?,00000001,00000001,00000000,?,005957A1,00000000,005957C6,?,00000000), ref: 0059568A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.436063645.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000007.00000002.436026284.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436052975.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436511680.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436521802.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436531083.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436540693.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436550754.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436564599.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436574457.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436584203.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436593754.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436622187.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436634429.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436648049.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436683989.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateDirectory
                                                            • String ID: \\?\
                                                            • API String ID: 4241100979-4282027825
                                                            • Opcode ID: e0a3bdc70c04e78168105b659149bbbb16886a6d6c0cca47080108260c0900a7
                                                            • Instruction ID: 9f5430ab1e94a2cdd9dae8f072e860b2ef55c5aa2821298d1840839241b5f79c
                                                            • Opcode Fuzzy Hash: e0a3bdc70c04e78168105b659149bbbb16886a6d6c0cca47080108260c0900a7
                                                            • Instruction Fuzzy Hash: CFF0F0702447047BDF11EBA5CCA2B9D76DDEB86B08F91083AF400E35D1EA799D104669
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: LI-180_Installer.exe PID: 5740 Parent PID: 6960 LI-180_Installer.exeCOMMON

                                                            Executed Functions

                                                            Function 0040CB30, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040CBF0,?,?), ref: 0040CB62
                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040CBF0,?,?), ref: 0040CB6B
                                                              • Part of subcall function 0040C9F8: FindFirstFileW.KERNEL32(00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA2B
                                                              • Part of subcall function 0040C9F8: FindClose.KERNEL32(00000000,00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA3B
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                            • String ID:
                                                            • API String ID: 3216391948-0
                                                            • Opcode ID: a3ef9113332cd4f103a8e4d8192339c8c971ca8cadefcb096335637e5080e2e5
                                                            • Instruction ID: 8f8425ef7e003197c548934d68529d5866815bad13d550064fd740d453593948
                                                            • Opcode Fuzzy Hash: a3ef9113332cd4f103a8e4d8192339c8c971ca8cadefcb096335637e5080e2e5
                                                            • Instruction Fuzzy Hash: FA119370A042099BDB00EBA5D982AADB3B5EF45304F50057EF514F72D1DB786E05C659
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C9F8, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA2B
                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA3B
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 9e1dfe6f42f38fe5fee79ec9a6cfd20d37323d4e53de93dc210a85409fa04306
                                                            • Instruction ID: 2d6f6286354a10e5bc494812b8926dfd1e7cb371c99a917dddbeb77f05d97bc8
                                                            • Opcode Fuzzy Hash: 9e1dfe6f42f38fe5fee79ec9a6cfd20d37323d4e53de93dc210a85409fa04306
                                                            • Instruction Fuzzy Hash: 8DF0B430600208AFC710FF75CD52A4DB3ECDB443147A00576B404F22C1EA389E00995C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424B48, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834), ref: 00424B63
                                                            • GetLastError.KERNEL32(00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834), ref: 00424B88
                                                              • Part of subcall function 00424AC0: FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                              • Part of subcall function 00424AC0: FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                              • Part of subcall function 00424BBC: FindClose.KERNEL32(?,?,00424B86,00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000), ref: 00424BC8
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                                                            • String ID:
                                                            • API String ID: 976985129-0
                                                            • Opcode ID: 2e5de55aafeed0e3f81a13e10239d89ebfd0b8ad6166b697f13ed275721c6c72
                                                            • Instruction ID: 129b9a8e3a804e3a0b789ce555aedcb953d3dbc06cbad93d92fb841f598433eb
                                                            • Opcode Fuzzy Hash: 2e5de55aafeed0e3f81a13e10239d89ebfd0b8ad6166b697f13ed275721c6c72
                                                            • Instruction Fuzzy Hash: 96E065B6B01130074754ABBE68816AA55C8C9C8375359027FB915DB346D52CCC0647D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0082D304, Relevance: 67.4, APIs: 8, Strings: 30, Instructions: 882COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 82d304-82d307 1 82d30c-82d311 0->1 1->1 2 82d313-82db44 call 40d840 GetVersionExW call 727670 call 408e24 call 5a7044 call 424db0 call 59697c call 409204 call 404d7c call 424d14 call 424ea8 call 409204 call 5a7220 call 409204 * 2 call 42490c call 40a184 call 409f28 LoadLibraryW call 40a184 * 2 call 8185b0 FreeLibrary call 40a20c GetCommandLineW call 409f80 call 42bc54 * 3 call 40a39c call 42c440 call 408e24 * 2 call 404d1c call 408e24 call 404d1c * 4 call 67476c * 2 1->2 90 82db46-82db82 call 423c40 call 40a20c call 59ec3c 2->90 97 82db84-82e0a4 call 423c40 call 40a20c call 42490c call 67476c * 3 call 7d91f0 call 5a7044 call 405310 call 406390 call 4055d8 call 67476c * 2 call 4048ec call 7d91f0 call 405514 call 7d91f0 call 405514 call 405554 call 40a184 call 405310 call 4063ac call 7d91f0 call 405534 call 405554 call 404908 call 67476c * 2 call 40714c call 456b80 * 5 call 40a184 call 405384 call 404fb8 call 4055ac call 4060e8 call 406214 90->97 181 82e0cf-82e0de call 40a31c 97->181 184 82e0e0-82e0f9 call 4060e8 call 406214 181->184 185 82e0a6-82e0c0 call 4060e8 181->185 194 82e124-82e133 call 40a31c 184->194 191 82e0c5-82e0ca call 406214 185->191 191->181 197 82e135-82e14e call 4060e8 call 406214 194->197 198 82e0fb-82e11f call 4060e8 call 406214 194->198 207 82e179-82e188 call 40a31c 197->207 198->194 210 82e150-82e174 call 4060e8 call 406214 207->210 211 82e18a 207->211 210->207 212 82e1ac-82e1bc 211->212 216 82e1be 212->216 217 82e18c-82e1a7 212->217 220 82e1e0-82e1f0 216->220 217->212 223 82e1f2-82e20b call 4060e8 call 406214 220->223 224 82e1c0-82e1db 220->224 230 82e236-82e245 call 40a31c 223->230 224->220 233 82e247-82e2ba call 4060e8 call 406214 call 4060e8 call 406214 call 409204 call 456b80 call 4060e8 call 406214 230->233 234 82e20d-82e231 call 4060e8 call 406214 230->234 255 82e2e7-82e2f6 call 40a31c 233->255 234->230 258 82e2f8-82e3ad call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 call 4060e8 call 406214 255->258 259 82e2bc-82e2e2 call 4060e8 call 406214 255->259 292 82e3da-82e3e9 call 40a31c 258->292 259->255 295 82e3eb-82e404 call 4060e8 call 406214 292->295 296 82e3af-82e3d5 call 4060e8 call 406214 292->296 304 82e42f-82e43e call 40a31c 295->304 296->292 308 82e440-82e475 call 405c54 call 406214 call 4060e8 call 406214 304->308 309 82e406-82e42a call 4060e8 call 406214 304->309 322 82e4a2-82e4b1 call 40a31c 308->322 309->304 325 82e4b3-82e4e6 call 4060e8 call 406214 call 4060e8 call 406214 322->325 326 82e477-82e49d call 4060e8 call 406214 322->326 339 82e513-82e522 call 40a31c 325->339 326->322 342 82e524-82e587 call 4060e8 call 406214 call 40a31c call 4060e8 call 406214 call 4060e8 call 406214 339->342 343 82e4e8-82e50e call 4060e8 call 406214 339->343 362 82e5b4-82e5c3 call 40a31c 342->362 343->339 365 82e5c5-82e5de call 4060e8 call 406214 362->365 366 82e589-82e5af call 4060e8 call 406214 362->366 374 82e60b-82e61a call 40a31c 365->374 366->362 378 82e5e0-82e606 call 4060e8 call 406214 374->378 379 82e61c-82e649 call 40b2cc call 406214 call 4060e8 call 406214 374->379 378->374 392 82e676-82e685 call 40a31c 379->392 395 82e687-82e6bf call 40b2cc call 406214 call 4060e8 call 406214 392->395 396 82e64b-82e671 call 4060e8 call 406214 392->396 409 82e6ec-82e6fb call 40a31c 395->409 396->392 412 82e6c1-82e6e7 call 4060e8 call 406214 409->412 413 82e6fd-82ed4b call 405554 call 452328 call 40a184 call 409f28 call 409f80 call 424bd8 call 67476c * 2 call 59ebec call 76839c call 67476c * 2 call 40a20c call 409f28 call 40a20c call 409f28 CopyFileW call 40a20c call 409f28 SetFileAttributesW call 40a20c call 409f28 call 40a20c call 409f28 CopyFileW call 40a20c call 409f28 SetFileAttributesW call 67476c call 40a184 call 409204 call 67476c call 730edc call 67476c * 3 call 40a20c call 7e3900 409->413 412->409
                                                            APIs
                                                            • GetVersionExW.KERNEL32(00858B3C,00000000,0082D434,?,00000000,0082EED8,?,?,?,?,00000028,00000000,00000000), ref: 0082D34C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Version
                                                            • String ID: </Dialogs>$ </ExtractArchive>$ </GlobalLists>$ </ResourcePath>$ </StubData>$ </StubSize>$ </SupportDir>$ <Dialogs>$ <ExtractArchive>$ <GlobalLists>$ <ResourcePath>$ <StubData>$ <StubSize>$ <SupportDir>$ </SetupSplash>$ <RunScript>$ <SetupSplash>$$DOLLAR$$$WILD_DOLLAR$$.msi$.msp$.res$<InstallAware>$TRUE$data\$dxD$lang.loc$mia$mia.lib$mia.tmp
                                                            • API String ID: 1889659487-1851809426
                                                            • Opcode ID: c0f449ea3db6afbdaebd4e5398f8ca0530294d83ec301b6686362c1fcf47894a
                                                            • Instruction ID: da3f706e8fad9170a8dfdb118e7f0e5f4ab879b6b969e9938d5adb5aa6c1a0e2
                                                            • Opcode Fuzzy Hash: c0f449ea3db6afbdaebd4e5398f8ca0530294d83ec301b6686362c1fcf47894a
                                                            • Instruction Fuzzy Hash: 06720F74640214CFCB00FBE9E85594937A5FB85316B50407BFA06FB362DE399C49CB9A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C628, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 174registrystringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040C84D,?,?), ref: 0040C661
                                                            • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,0040C84D,?,?), ref: 0040C67D
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,0040C84D,?,?), ref: 0040C6AA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,0040C84D), ref: 0040C6CC
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?), ref: 0040C6EA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040C708
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040C726
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040C744
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000), ref: 0040C784
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001), ref: 0040C7AF
                                                            • RegCloseKey.ADVAPI32(?,0040C837,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001,Software\Embarcadero\Locales), ref: 0040C82A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open$QueryValue$CloseFileModuleNamelstrcpyn
                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                            • API String ID: 512384800-3496071916
                                                            • Opcode ID: bdac962312e14bf69b4cb6d8ebe2f4f8c797028779bae34ed630296ed3d58d69
                                                            • Instruction ID: bd9ab06692e8d258f654d8dc2864fdf92ebb3c8a55c2e1fb3935c138dac9bbb8
                                                            • Opcode Fuzzy Hash: bdac962312e14bf69b4cb6d8ebe2f4f8c797028779bae34ed630296ed3d58d69
                                                            • Instruction Fuzzy Hash: 62512675A40209FEEB10FB95CD86FAF73ACDB08705F60457BB604F61C1D6B89A448A5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D88C, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 528 40d88c-40d926 call 40dd3c call 40dd4c call 40dd5c call 40dd6c * 3 541 40d950-40d95d 528->541 542 40d928-40d94b RaiseException 528->542 544 40d962-40d982 541->544 545 40d95f 541->545 543 40db60-40db66 542->543 546 40d984-40d993 call 40dd7c 544->546 547 40d995-40d99d 544->547 545->544 549 40d9a0-40d9a9 546->549 547->549 551 40d9c2-40d9c4 549->551 552 40d9ab-40d9bb 549->552 553 40da86-40da90 551->553 554 40d9ca-40d9d1 551->554 552->551 564 40d9bd 552->564 557 40daa0-40daa2 553->557 558 40da92-40da9e 553->558 555 40d9e1-40d9e3 554->555 556 40d9d3-40d9df 554->556 560 40d9f0-40d9f2 555->560 561 40d9e5-40d9ee LoadLibraryA 555->561 556->555 562 40daa4-40daa8 557->562 563 40daef-40daf1 557->563 558->557 568 40d9f4-40da03 GetLastError 560->568 569 40da3f-40da4b call 40d734 560->569 561->560 571 40dae3-40daed GetProcAddress 562->571 572 40daaa-40daae 562->572 565 40daf3-40db02 GetLastError 563->565 566 40db39-40db3c 563->566 573 40db3e-40db45 564->573 574 40db12-40db14 565->574 575 40db04-40db10 565->575 566->573 576 40da13-40da15 568->576 577 40da05-40da11 568->577 586 40da80-40da81 FreeLibrary 569->586 587 40da4d-40da51 569->587 571->563 572->571 580 40dab0-40dabb 572->580 578 40db47-40db56 573->578 579 40db5e 573->579 574->566 582 40db16-40db36 RaiseException 574->582 575->574 576->569 583 40da17-40da3a RaiseException 576->583 577->576 578->579 579->543 580->571 584 40dabd-40dac3 580->584 582->566 583->543 584->571 590 40dac5-40dad2 584->590 586->553 587->553 591 40da53-40da61 LocalAlloc 587->591 590->571 592 40dad4-40dadf 590->592 591->553 593 40da63-40da7e 591->593 592->571 594 40dae1 592->594 593->553 594->566
                                                            APIs
                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D944
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 1f3db080524931f2a71b78ac2fbcba56dfaf1e55a97ed4bd4606fe5a50a1f930
                                                            • Instruction ID: f1754b9a30898a739949526b4897abeae061c25df43582866fa3238b20cb1580
                                                            • Opcode Fuzzy Hash: 1f3db080524931f2a71b78ac2fbcba56dfaf1e55a97ed4bd4606fe5a50a1f930
                                                            • Instruction Fuzzy Hash: EBA14AB5E002099FDB11DFE8D880BAEB7B5BB48310F14453AE905B7390DB78A949CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A8ED0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 149COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 005A8F2D
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,0000002B,?,00000000,005A9083,?,00000000,005A90AD,?,?,?,?,00000000,00000000,?,007D8754), ref: 005A8F33
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DesktopFolderLocationSpecialWindow
                                                            • String ID: &$CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 712084180-1915935699
                                                            • Opcode ID: e6e4c29796e67ea4c0d594db5d4910fbf98424d5f6c27b1277bb27276f8e460d
                                                            • Instruction ID: 8033c48627882e4f97e082b97ef3ea09083225c8ea2392c17a415e286cff22ce
                                                            • Opcode Fuzzy Hash: e6e4c29796e67ea4c0d594db5d4910fbf98424d5f6c27b1277bb27276f8e460d
                                                            • Instruction Fuzzy Hash: 0F515570A002099FCB14EFA5D8869AEBBF5FF8A304F5184BAF500B7651DB38AD44CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005582B4, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 656 5582b4-5582de 657 5582e4-558312 call 456b80 call 408e24 GetKeyboardLayoutList 656->657 658 558440-55845e call 408e24 656->658 665 55842f-55843b call 456abc 657->665 666 558318-558322 657->666 665->658 667 558325-558331 call 5912e8 666->667 671 558337-558379 call 425780 RegOpenKeyExW 667->671 672 558422-558429 667->672 671->672 675 55837f-5583b3 RegQueryValueExW 671->675 672->665 672->667 676 5583b5-5583ec call 409fd4 675->676 677 558404-55841a RegCloseKey 675->677 676->677 681 5583ee-5583ff call 409fd4 676->681 677->672 681->677
                                                            APIs
                                                            • GetKeyboardLayoutList.USER32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0055845F), ref: 0055830A
                                                            • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000000,00020019,?,00000040,?), ref: 00558372
                                                            • RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200), ref: 005583AC
                                                            • RegCloseKey.ADVAPI32(?,00558422,00000000,?,00000200), ref: 00558415
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                            • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$dxD$layout text
                                                            • API String ID: 1703357764-864307836
                                                            • Opcode ID: fb60a5df295c957eb0404e5f092a3a367a012dbe6ae5ca88890075726c5c1705
                                                            • Instruction ID: 1a5b79140d81652e6158ed355ff87afb49eefd5a88f3e5e2b5d4434e5af8b85a
                                                            • Opcode Fuzzy Hash: fb60a5df295c957eb0404e5f092a3a367a012dbe6ae5ca88890075726c5c1705
                                                            • Instruction Fuzzy Hash: EA416874A00209DFDB51DB95C991BAEB7F9FB08308F9040A6E904E7252DB74AE08CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A7058, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SHGetPathFromIDListW.SHELL32(0000002B,?), ref: 005A708D
                                                            • SHGetPathFromIDListW.SHELL32(0000002B,?), ref: 005A709E
                                                            • LoadLibraryW.KERNEL32(shell32.dll,00000000,005A71B5,?,?,?,?,00000003,00000000,00000000,?,005A901E,00000000,0000002B,?,00000000), ref: 005A70E3
                                                            • FreeLibrary.KERNEL32(?,?,SHGetPathFromIDListW,shell32.dll,00000000,005A71B5,?,?,?,?,00000003,00000000,00000000,?,005A901E,00000000), ref: 005A7117
                                                            • GetShortPathNameW.KERNEL32 ref: 005A7123
                                                              • Part of subcall function 0042483C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Path$FromLibraryList$AttributesFileFreeLoadNameShort
                                                            • String ID: SHGetPathFromIDListW$shell32.dll
                                                            • API String ID: 1716935149-4041819787
                                                            • Opcode ID: 67e6b3a5649a6259728fbc9b5a399fb55a16764e01cf6bdf8cd1fb77ff14f941
                                                            • Instruction ID: f24a0c27f4c5aba1ac8d85e4b6caa0744ba60476e8af1ded39079c374a10dff6
                                                            • Opcode Fuzzy Hash: 67e6b3a5649a6259728fbc9b5a399fb55a16764e01cf6bdf8cd1fb77ff14f941
                                                            • Instruction Fuzzy Hash: BE41FF75B0420DABDB00EBA5CC429DEB7F9FF89308F51446AF500A7256DA789E05CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042483C, Relevance: 9.1, APIs: 6, Instructions: 77fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 728 42483c-42485c call 409f28 GetFileAttributesW 731 424862-424868 728->731 732 4248e3-4248eb GetLastError 728->732 733 42486a-424873 731->733 734 424878-42487c 731->734 735 4248fc-4248fe 732->735 736 4248ed-4248f0 732->736 737 424902-424909 733->737 738 42487e-424899 CreateFileW 734->738 739 4248ac-4248b2 734->739 735->737 736->735 740 4248f2-4248f5 736->740 738->737 741 42489b-4248aa CloseHandle 738->741 742 4248b4-4248b6 739->742 743 4248b8-4248d3 CreateFileW 739->743 740->735 744 4248f7-4248fa 740->744 741->737 742->737 745 4248d5-4248dd CloseHandle 743->745 746 4248df-4248e1 743->746 744->735 747 424900 744->747 745->737 746->737 747->737
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,00000001,0042498E,00000000,004249F7), ref: 00424891
                                                            • CloseHandle.KERNEL32(00000000,00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,00000001,0042498E,00000000), ref: 0042489C
                                                            • GetLastError.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 004248E3
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$AttributesCloseCreateErrorHandleLast
                                                            • String ID:
                                                            • API String ID: 2927643983-0
                                                            • Opcode ID: 020176eec5d6f42be7d37591b5f78666e78e28d94eb01a82540cde32f1bc8a49
                                                            • Instruction ID: dd33b6b9f81e07856ee37e0e43e0baa8863c9efe5c1a136613ce728169e39ad2
                                                            • Opcode Fuzzy Hash: 020176eec5d6f42be7d37591b5f78666e78e28d94eb01a82540cde32f1bc8a49
                                                            • Instruction Fuzzy Hash: 6511A379B5527828F53031B96C87BBB1149CBC2324FF9162BFB66BA2D1C19C5CC1611E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040345C, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 748 40345c-40346e 749 403474-403484 748->749 750 4036bc-4036c1 748->750 751 403486-403493 749->751 752 4034dc-4034e5 749->752 753 4037d4-4037d7 750->753 754 4036c7-4036d8 750->754 757 403495-4034a2 751->757 758 4034ac-4034b8 751->758 752->751 759 4034e7-4034f3 752->759 755 403204-40322d VirtualAlloc 753->755 756 4037dd-4037df 753->756 760 403680-40368d 754->760 761 4036da-4036f6 754->761 762 40325f-403265 755->762 763 40322f-40325c call 4031bc 755->763 766 4034a4-4034a8 757->766 767 4034cc-4034d9 757->767 768 403530-403539 758->768 769 4034ba-4034c8 758->769 759->751 771 4034f5-403501 759->771 760->761 770 40368f-403698 760->770 764 403704-403713 761->764 765 4036f8-403700 761->765 763->762 774 403715-403729 764->774 775 40372c-403734 764->775 773 403760-403776 765->773 776 403574-40357e 768->776 777 40353b-403548 768->777 770->760 778 40369a-4036ae Sleep 770->778 771->751 779 403503-40350f 771->779 787 403778-403786 773->787 788 40378f-40379b 773->788 774->773 782 403750-403752 call 403144 775->782 783 403736-40374e 775->783 785 4035f0-4035fc 776->785 786 403580-4035ab 776->786 777->776 784 40354a-403553 777->784 778->761 789 4036b0-4036b7 Sleep 778->789 779->752 780 403511-403521 Sleep 779->780 780->751 792 403527-40352e Sleep 780->792 793 403757-40375f 782->793 783->793 784->777 794 403555-403569 Sleep 784->794 790 403624-403633 call 403144 785->790 791 4035fe-403610 785->791 796 4035c4-4035d2 786->796 797 4035ad-4035bb 786->797 787->788 798 403788 787->798 799 4037bc 788->799 800 40379d-4037b0 788->800 789->760 810 403645-40367e 790->810 814 403635-40363f 790->814 801 403612 791->801 802 403614-403622 791->802 792->752 794->776 805 40356b-403572 Sleep 794->805 807 403640 796->807 808 4035d4-4035ee call 403078 796->808 797->796 806 4035bd 797->806 798->788 803 4037c1-4037d3 799->803 800->803 809 4037b2-4037b7 call 403078 800->809 801->802 802->810 805->777 806->796 807->810 808->810 809->803
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00403513
                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 00403529
                                                            • Sleep.KERNEL32(00000000), ref: 00403557
                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 0040356D
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 8a9437801f9726fcd377f658ca86df32b8242f6e17eb2e341aa84f4ed14406a7
                                                            • Instruction ID: 42d35f8e0f18d475b3391309c2a26d93bbc44a93d282e8ffa7c4ba0988d3562c
                                                            • Opcode Fuzzy Hash: 8a9437801f9726fcd377f658ca86df32b8242f6e17eb2e341aa84f4ed14406a7
                                                            • Instruction Fuzzy Hash: 8AC157B66017508FCB15CF28D888316BFA8BB86311F1882BFD4549B3D5D778DA81C789
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424594, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110timeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 817 424594-4245e3 call 409f28 GetFileAttributesExW 820 4245e5-4245ea call 4227fc 817->820 821 42463c-42463e 817->821 828 4245ef-4245f1 820->828 822 424640-42464f GetLastError 821->822 823 424671-424673 821->823 822->823 827 424651-424666 call 409f28 call 424548 822->827 825 424675-424679 823->825 826 424698-4246bf call 408e84 call 408e24 823->826 829 424693 825->829 830 42467b-42468a FileTimeToLocalFileTime 825->830 847 424668-42466d 827->847 848 42466f 827->848 828->821 833 4245f3-4245fd call 424fd0 828->833 829->826 830->826 834 42468c-424691 830->834 843 424622-42463b call 409f28 GetFileAttributesExW 833->843 844 4245ff-42461d call 424db0 call 42bbb4 call 40a184 833->844 834->826 843->821 844->843 847->823 848->823
                                                            APIs
                                                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 004245CE
                                                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424631
                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424640
                                                            • FileTimeToLocalFileTime.KERNEL32(?,FB,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424683
                                                              • Part of subcall function 004227FC: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00422849
                                                              • Part of subcall function 004227FC: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000001), ref: 0042287B
                                                              • Part of subcall function 004227FC: CloseHandle.KERNEL32(000000FF,004228C4,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000001), ref: 004228B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Attributes$Time$CloseCreateErrorHandleLastLocal
                                                            • String ID: FB
                                                            • API String ID: 3059364927-3670039715
                                                            • Opcode ID: 084c55364e15af505346aa0fcec3a07071e2199f11905a4858fbf33acedc5931
                                                            • Instruction ID: c1c51cff1122fcdef559ddd5f11acc2f09dee7b976e9a9c955d108d858b7bfa2
                                                            • Opcode Fuzzy Hash: 084c55364e15af505346aa0fcec3a07071e2199f11905a4858fbf33acedc5931
                                                            • Instruction Fuzzy Hash: 0631C971B00228ABDB10EBA5E981BEEB7A9EF85304F95016AF800E7381D77C5E058658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004247A4, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 854 4247a4-4247bd call 409f28 GetFileAttributesW 857 42480e-424818 GetLastError 854->857 858 4247bf-4247c2 854->858 861 42481a-42481d 857->861 862 42482f-424831 857->862 859 424807-42480c 858->859 860 4247c4-4247c6 858->860 864 424835-424838 859->864 865 4247c8-4247ca 860->865 866 4247cc-4247ce 860->866 861->862 863 42481f-424822 861->863 862->864 863->862 867 424824-42482d call 424764 863->867 865->864 868 4247d0-4247d2 866->868 869 4247d4-4247ec CreateFileW 866->869 867->862 874 424833 867->874 868->864 871 4247f8-424805 GetLastError 869->871 872 4247ee-4247f6 CloseHandle 869->872 871->864 872->864 874->864
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 004247B5
                                                            • GetLastError.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 0042480E
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 1799206407-0
                                                            • Opcode ID: 11423a4d9bf119b3a4665024e0baf30563eacf8fdec8ac240d4fb1c256c0a377
                                                            • Instruction ID: df278c05cb5f3b8655f05b97a3e56c02e352920f00e9e136846d1621e0c97303
                                                            • Opcode Fuzzy Hash: 11423a4d9bf119b3a4665024e0baf30563eacf8fdec8ac240d4fb1c256c0a377
                                                            • Instruction Fuzzy Hash: C001D43D3602F064DA3431793C867BA4585CFC67A8FB4191BFB62A72E1D78D4843A16E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424BD8, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 875 424bd8-424bf5 call 409f28 DeleteFileW 878 424bf7-424c07 GetLastError GetFileAttributesW 875->878 879 424c2d-424c33 875->879 880 424c27-424c28 SetLastError 878->880 881 424c09-424c0c 878->881 880->879 881->880 882 424c0e-424c10 881->882 882->880 883 424c12-424c25 call 409f28 RemoveDirectoryW 882->883 883->879
                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BE8
                                                            • GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BF7
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000), ref: 00424BFF
                                                            • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C1A
                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C28
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                            • String ID:
                                                            • API String ID: 2814369299-0
                                                            • Opcode ID: 0605bdfd3c34e5159f7918a983dba767ee52ea09f489b57a14fd5e5a3ae7dc66
                                                            • Instruction ID: 57235278477e78b329d2ce1c3220feee781b43d13fc81f95c73842f3904e5c96
                                                            • Opcode Fuzzy Hash: 0605bdfd3c34e5159f7918a983dba767ee52ea09f489b57a14fd5e5a3ae7dc66
                                                            • Instruction Fuzzy Hash: 03F0A76134365119DA10767F28C1EFE114CC9827AFB510B3BFA51D26E2DD5D4C46415D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0076889C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 886 76889c-768907 call 408f08 * 2 891 768947-768963 call 408e24 886->891 892 768909-768942 call 424db0 call 5a77e0 call 42bbb4 call 424ea8 call 40a184 886->892 897 768965-768967 891->897 898 76896c-76896e 891->898 892->891 897->898 900 768977-76897b 898->900 901 768970-768972 898->901 903 768985-768989 900->903 904 76897d-768980 900->904 901->900 906 768993-768997 903->906 907 76898b-76898e 903->907 904->903 910 7689a1-7689a3 906->910 911 768999-76899c 906->911 907->906 913 7689a5-7689ad call 5c96a4 910->913 914 7689b2-7689e1 call 409f28 * 2 OpenListArchive 910->914 911->910 913->914 922 7689e7-7689ec 914->922 923 768ac2-768ad9 GetLastArchiveError call 5c95c0 call 409204 914->923 924 7689f2-7689f4 922->924 925 768aab-768ac0 CloseListArchive call 408e24 922->925 938 768ade-768b1c 923->938 928 7689f6-768a08 call 409f80 924->928 929 768a0d-768a0f 924->929 925->938 928->929 934 768a11-768a24 call 423c40 929->934 935 768a29-768a2d 929->935 934->935 936 768a2f-768a46 call 423c68 935->936 937 768a4b-768a4f 935->937 936->937 943 768a51-768a68 call 423c68 937->943 944 768a6d-768a71 937->944 943->944 948 768a73-768a9b call 5c9660 call 428aa8 944->948 949 768aa0-768aa5 944->949 948->949 949->924 949->925
                                                            APIs
                                                            • OpenListArchive.MIA.LIB(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D,?,00000000), ref: 007689D5
                                                            • CloseListArchive.MIA.LIB(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D), ref: 00768AAF
                                                              • Part of subcall function 005C9660: FileTimeToLocalFileTime.KERNEL32(00000000,00768B1D,?,?), ref: 005C9677
                                                              • Part of subcall function 005C9660: FileTimeToDosDateTime.KERNEL32 ref: 005C9688
                                                            • GetLastArchiveError.MIA.LIB(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D,?,00000000), ref: 00768AC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Time$File$Archive.List$ArchiveCloseDateError.LastLocalOpen
                                                            • String ID: 0
                                                            • API String ID: 727730911-4108050209
                                                            • Opcode ID: 39598fb801144715d430ed12939dcc739c85c6989a4db3fca13b0d22688b50b9
                                                            • Instruction ID: e403871301572a310c12965a92a8fe37dd2a7e1fb090b3dc838229259ec1f960
                                                            • Opcode Fuzzy Hash: 39598fb801144715d430ed12939dcc739c85c6989a4db3fca13b0d22688b50b9
                                                            • Instruction Fuzzy Hash: 8D811870A00209DFCB01DF99D985ADEBBB6FF48304F54416AF805AB261CB78AD45CF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00595CDC, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFindFirst
                                                            • String ID: \*.*
                                                            • API String ID: 1974802433-1173974218
                                                            • Opcode ID: 3be14c2d8d1d77d037142b6a1f9ff44d141089ae18a6a13563cfbc3b435fd6d6
                                                            • Instruction ID: 1e61872390994e0bab9c5eff1998993cabc17d9ce8fbc3022cf4e5f77fadce7f
                                                            • Opcode Fuzzy Hash: 3be14c2d8d1d77d037142b6a1f9ff44d141089ae18a6a13563cfbc3b435fd6d6
                                                            • Instruction Fuzzy Hash: D4613B74A0462A9BDF61EB65CC4AB8CBBB5BB44304F5041EAF40CB2291EB355F958F09
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047725C, Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SetLastError.KERNEL32(00000000,?,?,?,005A723E,00000000,005A725E,?,?,00000000,?,0082D4AC,?,00000000,0082EED8), ref: 00477263
                                                            • GetTempPathW.KERNEL32(00000104,00000000,00000000,?,?,?,005A723E,00000000,005A725E,?,?,00000000,?,0082D4AC,?,00000000), ref: 00477281
                                                            • GetLongPathNameW.KERNEL32(00000000,00000000,00000000), ref: 00477298
                                                            • GetLongPathNameW.KERNEL32(00000000,00000000,00000000), ref: 004772AB
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Path$LongName$ErrorLastTemp
                                                            • String ID:
                                                            • API String ID: 1475991060-0
                                                            • Opcode ID: c1a9d14916921fc4882005c76447c95ddc0c88a49f784e3c695ba513b2c89dbf
                                                            • Instruction ID: e88bcbabdb9f1ec4bc983cdfe1743da0a5c73edf8f11bfb8c4fa61ea373dfb0a
                                                            • Opcode Fuzzy Hash: c1a9d14916921fc4882005c76447c95ddc0c88a49f784e3c695ba513b2c89dbf
                                                            • Instruction Fuzzy Hash: 0AF03031B0421117E610776B8C82FAB11D8CF82B99F40447FB604EF2D7D8BC8C4542AE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0076839C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1039 76839c-7683a0 1040 7683a5-7683aa 1039->1040 1040->1040 1041 7683ac-76847d call 408f08 * 3 call 40a8ac call 424db0 call 5a77e0 call 42bbb4 call 424ea8 call 40a184 call 5a77e0 call 42bbb4 call 40924c call 408e24 1040->1041 1068 7684d4-7684d6 1041->1068 1069 76847f-7684a9 call 456b80 call 76889c 1041->1069 1071 7684d9-76850f call 40b7d0 1068->1071 1075 7684ae-7684b0 1069->1075 1086 768573-768577 1071->1086 1087 768511 1071->1087 1077 7684b2-7684c7 call 40717c call 4085f0 1075->1077 1078 7684cc-7684d2 1075->1078 1088 7686ba-7686fc call 408e84 * 2 call 40a984 call 408e84 1077->1088 1078->1071 1089 76857d 1086->1089 1090 768579-76857b 1086->1090 1091 768516-76852f 1087->1091 1093 768582-768586 1089->1093 1090->1093 1100 768536-768571 call 4048ec call 409f28 call 5a6614 1091->1100 1101 768531-768534 1091->1101 1095 76858f 1093->1095 1096 768588-76858d 1093->1096 1099 768592-768596 1095->1099 1096->1099 1103 7685aa-7685ad 1099->1103 1104 768598-7685a8 call 5c96a4 1099->1104 1100->1086 1100->1091 1101->1100 1110 7685b0-7685b4 1103->1110 1104->1110 1113 7685c6 1110->1113 1114 7685b6-7685c4 call 5c9630 1110->1114 1115 7685c9-7685cd 1113->1115 1114->1115 1120 7685cf-7685d7 1115->1120 1121 7685d9-7685dc 1115->1121 1123 7685df-768612 call 409f28 * 3 ExtractArchive 1120->1123 1121->1123 1133 768614-76862c GetLastArchiveError call 5c95c0 call 409204 1123->1133 1134 76862e 1123->1134 1135 768632-768637 1133->1135 1134->1135 1137 76864e-76866a call 40b7d0 1135->1137 1138 768639 1135->1138 1147 768674-7686b2 1137->1147 1148 76866c-76866f call 40717c 1137->1148 1140 76863e-76864c call 404908 1138->1140 1140->1137 1147->1088 1148->1147
                                                            APIs
                                                            • ExtractArchive.MIA.LIB(00000000,00000001,00000000,?,00000001,00000000,?,00000000,00000000,00000000), ref: 0076860B
                                                            • GetLastArchiveError.MIA.LIB(00000000,00000001,00000000,?,00000001,00000000,?,00000000,00000000,00000000), ref: 00768614
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ArchiveArchive.Error.ExtractLast
                                                            • String ID: dxD
                                                            • API String ID: 1514603430-650693785
                                                            • Opcode ID: 9167f4d3a05935a17020eb8cb35b6a608bd2706dc96001d593abfc4359c4743e
                                                            • Instruction ID: e79ef44e2278ca16fdd0482ddfc8cc6e64af0794872f75f7ec4b65b490efbfd6
                                                            • Opcode Fuzzy Hash: 9167f4d3a05935a17020eb8cb35b6a608bd2706dc96001d593abfc4359c4743e
                                                            • Instruction Fuzzy Hash: 2AB14C70A002099FDB00DFA9D985BDEBBB5FF48314F10816AF811A7392DB38AD45CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047DB18, Relevance: 4.6, APIs: 3, Instructions: 150registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DB91
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DC07
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0047DC78
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 8b87bbcb1c312638584391afb04638c45478a71692b4e24da6abdee90267953f
                                                            • Instruction ID: 57266824f2d932d1ce5c4895c05120650e97fd81b45d18efe785b2f0bbc7b4cb
                                                            • Opcode Fuzzy Hash: 8b87bbcb1c312638584391afb04638c45478a71692b4e24da6abdee90267953f
                                                            • Instruction Fuzzy Hash: 28514030F10208AFDB12EBA5C942BDEB7F9AF48304F15846EA459E3382D6799F05D749
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408B54, Relevance: 4.6, APIs: 3, Instructions: 92threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408B85
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00408C26
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00408C62
                                                              • Part of subcall function 00408ABC: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AF5
                                                              • Part of subcall function 00408ABC: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AFB
                                                              • Part of subcall function 00408ABC: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?), ref: 00408B16
                                                              • Part of subcall function 00408ABC: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75), ref: 00408B1C
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID:
                                                            • API String ID: 3490077880-0
                                                            • Opcode ID: 10eb5ef3f6e2d49a959dfc251fea70abf38e8027b0972acb9da723768b44e474
                                                            • Instruction ID: 7c56cf2e3186582e7483b00cd751aa50e1ff6530cd52687d5d3be0a2d44efa3c
                                                            • Opcode Fuzzy Hash: 10eb5ef3f6e2d49a959dfc251fea70abf38e8027b0972acb9da723768b44e474
                                                            • Instruction Fuzzy Hash: AF311970604B058AEB21AB798A5971B76F0AB55314F14093FE1C1A33D2DF7CA884CB5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00461CF4, Relevance: 4.6, APIs: 3, Instructions: 76threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(0046169C,00000004,00461694,?,?,?,?,?,?,?,?,?,?,00000000,00461DC8), ref: 00461D6C
                                                            • GetCurrentThread.KERNEL32 ref: 00461DA2
                                                            • GetCurrentThreadId.KERNEL32 ref: 00461DAA
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CurrentThread$ErrorLast
                                                            • String ID:
                                                            • API String ID: 4172138867-0
                                                            • Opcode ID: 46be740d89cc69737b72f33ab050cef0d7a29825237ef2d781c410190c1712a5
                                                            • Instruction ID: d81d373b76c93451c357402c9e60c1bf6b253b3e0664b98a1242fea6a3051ec2
                                                            • Opcode Fuzzy Hash: 46be740d89cc69737b72f33ab050cef0d7a29825237ef2d781c410190c1712a5
                                                            • Instruction Fuzzy Hash: 9F2103709047556EC301DB76CC41AAABBA9BB45304F48852FE850977E1EB7CB814CBAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004062B0, Relevance: 4.6, APIs: 3, Instructions: 69fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000,?,?,00000000,004063A9,0081861A,00000000,008186D2), ref: 0040634C
                                                            • GetStdHandle.KERNEL32(000000F5,?,?,00000000,004063A9,0081861A,00000000,008186D2,?,?,?,00000000,?,0082D52D,00000000,00000000), ref: 0040636C
                                                            • GetLastError.KERNEL32(000000F5,?,?,00000000,004063A9,0081861A,00000000,008186D2,?,?,?,00000000,?,0082D52D,00000000,00000000), ref: 00406380
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateErrorFileHandleLast
                                                            • String ID:
                                                            • API String ID: 1572049330-0
                                                            • Opcode ID: 0ecfb6fcaf6b047c2c800e5ce5bba984b39c90ca47f7306dcbf0570d46417eb6
                                                            • Instruction ID: a368fc4e3039d73de16522235d6a327499955573feef45f3402d5cf96f548e90
                                                            • Opcode Fuzzy Hash: 0ecfb6fcaf6b047c2c800e5ce5bba984b39c90ca47f7306dcbf0570d46417eb6
                                                            • Instruction Fuzzy Hash: DD1105612002008AE724AF58888871B7659EF81314F2AC37BEC0ABF3D5D67DCC5187EE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E88C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0047E8B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID: CommonFilesDir
                                                            • API String ID: 3660427363-2265253956
                                                            • Opcode ID: 251a255d2a67f89b6c844501079f28390cd893444f6671e183e0700de479fd03
                                                            • Instruction ID: 4adf3590c5a9773202cffc0e1bc81eb7fd8e28232d7c0278d08eb1294601ee21
                                                            • Opcode Fuzzy Hash: 251a255d2a67f89b6c844501079f28390cd893444f6671e183e0700de479fd03
                                                            • Instruction Fuzzy Hash: AE015275A00208AFC700EFA9DC81ADAB7A8DB49714F00816AF918D7342D6349E0487A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E294, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,0047E2FC,?,?,CommonFilesDir,00000000,0047E2FC), ref: 0047E2C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID: CommonFilesDir
                                                            • API String ID: 3660427363-2265253956
                                                            • Opcode ID: 3028f5571a06ce3ac170fd1c26d1d7cab3a52f1c5851f32da90a4e8d191c3a6b
                                                            • Instruction ID: d6b6cd4c5dc22c8d45e1f2ef645a66dda0b0fdbf6d8587e89431dd27c8b70314
                                                            • Opcode Fuzzy Hash: 3028f5571a06ce3ac170fd1c26d1d7cab3a52f1c5851f32da90a4e8d191c3a6b
                                                            • Instruction Fuzzy Hash: 59F030767041006FD704EA6E9C81F9B67DCDB88714F10843FB25CD7242D928CC058369
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047D9E4, Relevance: 3.1, APIs: 2, Instructions: 98registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DAF5,?,?,00000000), ref: 0047DA5E
                                                            • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,0047DAF5,?,?,00000000), ref: 0047DA98
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateOpen
                                                            • String ID:
                                                            • API String ID: 436179556-0
                                                            • Opcode ID: 9a1e1138cb2937812503d6dad519492d49e6a590dd7c3e42ad58e0a73a4d9705
                                                            • Instruction ID: 15b4c6f32ebf0bcf6cadd7e3f265dedb114a34a479296194b3a9dab7f0d7ab52
                                                            • Opcode Fuzzy Hash: 9a1e1138cb2937812503d6dad519492d49e6a590dd7c3e42ad58e0a73a4d9705
                                                            • Instruction Fuzzy Hash: 92318130F14208AFDB11EBA5C842BDEB3F9AF48304F5084BAA419E7282D6789F058759
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CBFC, Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0040CD09,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CD92,00000000,?,00000105), ref: 0040CC9D
                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0040CD09,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CD92,00000000,?,00000105), ref: 0040CCC5
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DefaultLanguage$SystemUser
                                                            • String ID:
                                                            • API String ID: 384301227-0
                                                            • Opcode ID: 069904bf99abfa0b83b546b1ed0fe6070e1295d5b798fc899ff7ce37847dbfdb
                                                            • Instruction ID: 5ac65596fced7b910d67bbfefc63cc881f334f4f39f389ce6e4f5fa3aa301617
                                                            • Opcode Fuzzy Hash: 069904bf99abfa0b83b546b1ed0fe6070e1295d5b798fc899ff7ce37847dbfdb
                                                            • Instruction Fuzzy Hash: D9312F30A14209DFDB10EBA9C8C2AAEB7B5EF49304F50467BE404B32D1DB789D419B99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405484, Relevance: 3.1, APIs: 2, Instructions: 61fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,?,00000000,?,0040552D,00000064,00402B50,0000D7B1,?,00000000), ref: 004054AE
                                                            • GetLastError.KERNEL32(?,0040552D,00000064,00402B50,0000D7B1,?,00000000,?,00818654,00000000,00000000,008186D2,?,?,?,00000000), ref: 004054B5
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite
                                                            • String ID:
                                                            • API String ID: 442123175-0
                                                            • Opcode ID: 0144cffe5f4022dbbfa19f28a62694fccd9d9f384b429aeac51538f4cc221b03
                                                            • Instruction ID: 58043fc211e287150baae9057470d61647ca602fe4124a230def75f4c210350d
                                                            • Opcode Fuzzy Hash: 0144cffe5f4022dbbfa19f28a62694fccd9d9f384b429aeac51538f4cc221b03
                                                            • Instruction Fuzzy Hash: FC112E71704508EFCB40DF69D981A9FB7E9EB98314B108477E809EB284E634EE00DF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CD18, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A,?,00000000,0040BB41), ref: 0040CD54
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A), ref: 0040CDA5
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName
                                                            • String ID:
                                                            • API String ID: 1159719554-0
                                                            • Opcode ID: f49f288b91f74fcd056493bfe9f938fb0be1b07c46389491cba556945b7e8bda
                                                            • Instruction ID: f95f1c7a7be229697cbd4194ea68f03b1ad684dc9f70ad0e1a70e9e9ecd67c69
                                                            • Opcode Fuzzy Hash: f49f288b91f74fcd056493bfe9f938fb0be1b07c46389491cba556945b7e8bda
                                                            • Instruction Fuzzy Hash: 7A115130A4421C9BDB14EB50C986BDE77B9DB48304F5145BAB508F32D1DA785F848A99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424B98, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindNextFileW.KERNEL32(?,?,00000001,00596489,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834,?,?), ref: 00424BA3
                                                            • GetLastError.KERNEL32(?,?,00000001,00596489,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834,?,?), ref: 00424BB5
                                                              • Part of subcall function 00424AC0: FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                              • Part of subcall function 00424AC0: FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$DateErrorFindLastLocalNext
                                                            • String ID:
                                                            • API String ID: 2103556486-0
                                                            • Opcode ID: 249219fde11eba4d8f0847427deaa5469a8e1ed67c38deb41bcea90f0b7b4556
                                                            • Instruction ID: 94c3d661e99e19b0cf242ad5cc108513695bb429cd69848a77f49ac234955743
                                                            • Opcode Fuzzy Hash: 249219fde11eba4d8f0847427deaa5469a8e1ed67c38deb41bcea90f0b7b4556
                                                            • Instruction Fuzzy Hash: D6C012E2300100574B40AFF6A8C1A9722CC5E8820535805ABBA15CA307DE1DD4504618
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406778, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDBCSLeadByteEx.KERNEL32(000004E4,?), ref: 00406833
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteLead
                                                            • String ID:
                                                            • API String ID: 535570690-0
                                                            • Opcode ID: 2f1cb644fb499c63dc5b30d7fec0a20aa9a1c674713672119258b17d28bc32fe
                                                            • Instruction ID: 90b6fd22d809609ea3004cdd2524d420e27ac6550840b70b8a809d14a669ba94
                                                            • Opcode Fuzzy Hash: 2f1cb644fb499c63dc5b30d7fec0a20aa9a1c674713672119258b17d28bc32fe
                                                            • Instruction Fuzzy Hash: 93317C35904184DFDB00D7A8C289BEE7BF1AB11300F1A40F6E845BB2C3D2799F59A715
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047DB14, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DB91
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 00dcda4b3357fe27e592dec70060977e4b8871651b2a585f5acb668b467a1053
                                                            • Instruction ID: f23ec4b5702853a7ea5987bf2f7fdd18b2bb3f750e5d560e0cf6f6033a68423a
                                                            • Opcode Fuzzy Hash: 00dcda4b3357fe27e592dec70060977e4b8871651b2a585f5acb668b467a1053
                                                            • Instruction Fuzzy Hash: 4821A330F14204AFDB12EB65C952BDEB7F99F48304F2184BEA409E3682D6789E059749
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00451E48, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceW.KERNEL32(00000000,00000000,0000000A,00000000,?,00000000,?,?,00452014,00000000,0045202C,?,0000FFA4,00000000,00000000), ref: 00451E6A
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindResource
                                                            • String ID:
                                                            • API String ID: 1635176832-0
                                                            • Opcode ID: 4159ebc1ff9f4fa63e2dc2a99cbc1145e40678475c0226c159b9e0146ed05156
                                                            • Instruction ID: d8758b5084b721e2e7b8f07ffa62b5cfea11b7d3667cb77975f3ea63007917f4
                                                            • Opcode Fuzzy Hash: 4159ebc1ff9f4fa63e2dc2a99cbc1145e40678475c0226c159b9e0146ed05156
                                                            • Instruction Fuzzy Hash: 8801D4313083006BD700DF66EC82E6BB7EDEB89719711047AFD00D7292DA7A9C049658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047E93C, Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047E9C2), ref: 0047E9A7
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: d175568d259705272e6aa47e86a25d25f43ae7f404f24f7bcc6ed7cf32099ec8
                                                            • Instruction ID: 6c2b064bdfea16977048b204395c2f05d037ce64966bcf41a7dd1988fe17c46e
                                                            • Opcode Fuzzy Hash: d175568d259705272e6aa47e86a25d25f43ae7f404f24f7bcc6ed7cf32099ec8
                                                            • Instruction Fuzzy Hash: 2701B971B00608AFD700EB66C852ADE73ECDB4C304F5040BAB509E3292EA389E048658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408CE0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: 29575488970f715b17986a15caf58521d83e83b8c7794ca887fe32ca52364b9b
                                                            • Instruction ID: ef301df739cc694c572c5ee0b50773967ece18fc2577e6befe398edb865a9ec1
                                                            • Opcode Fuzzy Hash: 29575488970f715b17986a15caf58521d83e83b8c7794ca887fe32ca52364b9b
                                                            • Instruction Fuzzy Hash: A6015E72B04214AFDB41DB9D9884B4AB7ECAB98360F10817AF548E73D1DA749D408B68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408790, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00000000,004087DE,?,00841054,00843B18,00000000,?,00408BF6,?,?,?,?,00408C8A,004049FB,00404A42), ref: 004087CE
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 669d9c16f68d7d69e55c837bd1127b50049780d4758f6d47d6ce2fb4150e7957
                                                            • Instruction ID: 3416b5ca3d522f064810a6436f6233d91ae6f526f1053d7af4a84366dc213eb1
                                                            • Opcode Fuzzy Hash: 669d9c16f68d7d69e55c837bd1127b50049780d4758f6d47d6ce2fb4150e7957
                                                            • Instruction Fuzzy Hash: 0BF09036205B159ED3214F1AAE80A13FBECF749760BB5413FD844A3B96DA349800C6A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423014, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,?,00000001,0042C450,00000000,0042C3AF,?,00000000,0042C40D), ref: 0042304B
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID:
                                                            • API String ID: 1825529933-0
                                                            • Opcode ID: 1367ec480eb4cb0b958e952430911fc2e6c6f941ff26b9b5787ef9433decb0e0
                                                            • Instruction ID: 7d4b6c6e5e0bed3a7d05330ec8cb189f96d8e7c295e251969e5bd50bfcc166b6
                                                            • Opcode Fuzzy Hash: 1367ec480eb4cb0b958e952430911fc2e6c6f941ff26b9b5787ef9433decb0e0
                                                            • Instruction Fuzzy Hash: 70E0D8B37413652BE92099AE5CC1FB7669CCB897A6B05017AFF04F7346C9595C0141B4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0059EC3C, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,0059EC8D,?,00000001,?,?,0082DB80,?,mia,.res,00000000,00000000,00000000,?,00000000), ref: 0059EC63
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 4fcf3b4a5b7900d620859b366189a173618c0baed1ed45520c03ae6a57b3418a
                                                            • Instruction ID: 270be10a341e33f11dd85db8b8dc784368f0353ba6e026200a026ced54a91c08
                                                            • Opcode Fuzzy Hash: 4fcf3b4a5b7900d620859b366189a173618c0baed1ed45520c03ae6a57b3418a
                                                            • Instruction Fuzzy Hash: AEF0E530604208FEDF44EB79CE53CAD7BECFB097187A0097AF450E26E1D6396E04A518
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004246D0, Relevance: 1.5, APIs: 1, Instructions: 31timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00424594: GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 004245CE
                                                              • Part of subcall function 00424594: GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424631
                                                              • Part of subcall function 00424594: GetLastError.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424640
                                                              • Part of subcall function 00424594: FileTimeToLocalFileTime.KERNEL32(?,FB,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424683
                                                            • FileTimeToDosDateTime.KERNEL32 ref: 004246F9
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Time$Attributes$DateErrorLastLocal
                                                            • String ID:
                                                            • API String ID: 663141457-0
                                                            • Opcode ID: 277bbfe9d65a59bbddf6dd17e79c36de28946aecbf085cc2aac3b5beac8cee4c
                                                            • Instruction ID: e04da985f904ea9dfe94d092605b8332e34c08d2116ba371cb577d0f9109872a
                                                            • Opcode Fuzzy Hash: 277bbfe9d65a59bbddf6dd17e79c36de28946aecbf085cc2aac3b5beac8cee4c
                                                            • Instruction Fuzzy Hash: 5FF0E535A0020DA78F10CED898808DEB3A8DA86328F604793E934E7281EB369F049794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040BAD4, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,0000020A,?,00000000,0040BB41,0041E298,0041E29C,?,0040D5A0), ref: 0040BAF2
                                                              • Part of subcall function 0040CD18: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A,?,00000000,0040BB41), ref: 0040CD54
                                                              • Part of subcall function 0040CD18: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A), ref: 0040CDA5
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileModuleName$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 4113206344-0
                                                            • Opcode ID: e9047e7e718f9a5106684697ebfde9e3f407d95ad0ce6d1c0455f8f31703f4f1
                                                            • Instruction ID: a88651896b0ed3a23ea67229964229f1848bdffbb32de574980f9bf0ab694c8b
                                                            • Opcode Fuzzy Hash: e9047e7e718f9a5106684697ebfde9e3f407d95ad0ce6d1c0455f8f31703f4f1
                                                            • Instruction Fuzzy Hash: 01E0C971A003109BDB10DE58C9C5A5637A4AF49754F044666AD14EF38AD375D91087D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004250E4, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000001,004249D2,00000000,004249F7,?,?,00000000,00000000,00000000,00000000,?,0082D4D3,?,00000000), ref: 004250F1
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateDirectory
                                                            • String ID:
                                                            • API String ID: 4241100979-0
                                                            • Opcode ID: 383a688f34737a12b868ed746cb1ae341d81b257cb3ad43e14afc6877cde684f
                                                            • Instruction ID: 8f43151b22b1469bfb9e70a166b3f2c49ff5d4be4b49b84714ba4ddc6eb884e8
                                                            • Opcode Fuzzy Hash: 383a688f34737a12b868ed746cb1ae341d81b257cb3ad43e14afc6877cde684f
                                                            • Instruction Fuzzy Hash: 4CB092A27942402AEA0036BA0CC2B6A00CDD79860AF10083AB602D6193E47AC8440014
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040717C, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00408BE6,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00407184
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 6a3c7b9f1797a488de21e861749322422cbf90c3622f26d40c67571f13affa8d
                                                            • Instruction ID: 41ba22d18321cb76633606a16cf5ad3b717cdc5a2f3560622911eff0241e057f
                                                            • Opcode Fuzzy Hash: 6a3c7b9f1797a488de21e861749322422cbf90c3622f26d40c67571f13affa8d
                                                            • Instruction Fuzzy Hash: 34B01270A000415BCE008A11C54C4557B515B5130C31000A4C8018F3D0CE27A804C701
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00464CE8, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,00000000,00000000,?,?,0058503C,005874F0,?,00000000,0058512B,?,00000000,?), ref: 00464D06
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 09c544327ed3e2257745a0b1e5b614fcc5909a1661039ce2c3f127fb09c38e11
                                                            • Instruction ID: 414783f545f013a41a00390d3318c56245cd632fceaf0a69517d536ab90c3cc3
                                                            • Opcode Fuzzy Hash: 09c544327ed3e2257745a0b1e5b614fcc5909a1661039ce2c3f127fb09c38e11
                                                            • Instruction Fuzzy Hash: 85115E746007058BC710DF1AD880B42FBE5FF89750F10C53AEA598B385E374E915CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403144, Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00403757), ref: 0040315A
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: f216b6ceb9f08cfb8ecaa4418ae988c501d28e156bbf7e1e539a0e26d76dff0d
                                                            • Instruction ID: eaab0908dca398bdff0d631121814ce98026ab15d171e95ea26a12bb78313901
                                                            • Opcode Fuzzy Hash: f216b6ceb9f08cfb8ecaa4418ae988c501d28e156bbf7e1e539a0e26d76dff0d
                                                            • Instruction Fuzzy Hash: 1EF04FB5B422004BDB14CF798D49302BAD6B78A305F10817EE509DB79CDB748446CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0040C434, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 151stringlibraryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000), ref: 0040C451
                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040C462
                                                            • lstrcpynW.KERNEL32(?,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105), ref: 0040C492
                                                            • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 0040C501
                                                            • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001), ref: 0040C549
                                                            • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830), ref: 0040C55C
                                                            • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000), ref: 0040C572
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F), ref: 0040C57E
                                                            • lstrcpynW.KERNEL32(0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?), ref: 0040C5BA
                                                            • lstrlenW.KERNEL32(?,0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298), ref: 0040C5C6
                                                            • lstrcpynW.KERNEL32(?,0000005C,?,?,0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 0040C5E9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                            • API String ID: 3245196872-3908791685
                                                            • Opcode ID: b04ba5caedf144eeb875c5d634dacea720d2e9b1876c80ca577194fcfae269f7
                                                            • Instruction ID: 76c12ef7d0d67687ef3a7bd8e91ca30b501443e14e09bb49bd729650117b71ee
                                                            • Opcode Fuzzy Hash: b04ba5caedf144eeb875c5d634dacea720d2e9b1876c80ca577194fcfae269f7
                                                            • Instruction Fuzzy Hash: 1A517476900228EBCB10EB94CDC5ADE73BCAF44314F1446B6A505F72C1E678EE409B59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007942A8, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 260fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB,?,?,?,?,00000000,00000000), ref: 00794367
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB,?,?,?,?,00000000), ref: 00794379
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 00794536
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 00794547
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 0079455C
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 0079456E
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000), ref: 0079466A
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000), ref: 0079467B
                                                              • Part of subcall function 007942A8: FindClose.KERNEL32(000000FF), ref: 0079448A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$Close$File$FirstNext
                                                            • String ID: $IGNORE$$*.*$dxD
                                                            • API String ID: 3527384056-1668806599
                                                            • Opcode ID: 0ca9cdae76652d41ac622ccf3a5bcac9f3a953c23b400b37e8c6532243a88ea4
                                                            • Instruction ID: e1b80d9ff527bd2dbf90f37abcf2fb7d5bc5ee44b63da5edd6403852173e2c8f
                                                            • Opcode Fuzzy Hash: 0ca9cdae76652d41ac622ccf3a5bcac9f3a953c23b400b37e8c6532243a88ea4
                                                            • Instruction Fuzzy Hash: E0B16E74A0421A9FCF20EBA5D889FDDB3B5EF45304F1041E6E508A7291DB38AE86CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00794724, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 219fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920,00000000), ref: 007947B6
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920), ref: 007947C8
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E), ref: 0079496C
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001), ref: 0079497D
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000), ref: 00794992
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000), ref: 007949A4
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053), ref: 00794A4A
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B), ref: 00794A5B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFile$FirstNext
                                                            • String ID: *.*$dxD
                                                            • API String ID: 1164774033-3064973229
                                                            • Opcode ID: 48861e728c33fcb31fb06544e2d3f24791516a9b7d6b355fd16156afaa90fea4
                                                            • Instruction ID: ff152c514afcea9cfc9e838b5402cdfe4aa7c3f6c782aca87fd93a1163c2126f
                                                            • Opcode Fuzzy Hash: 48861e728c33fcb31fb06544e2d3f24791516a9b7d6b355fd16156afaa90fea4
                                                            • Instruction Fuzzy Hash: 1591417490421E9FCF20EBA5D889EDDB7B5EF44308F1041E9E508A7291DB38AE86CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00596518, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 182fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005965A2
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005965B4
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005966BD
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000), ref: 005966CE
                                                            • FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000), ref: 005966E3
                                                            • FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000), ref: 005966F5
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000), ref: 0059679B
                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000), ref: 005967AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFile$FirstNext
                                                            • String ID: *.*$dxD
                                                            • API String ID: 1164774033-3064973229
                                                            • Opcode ID: 923b812e680f5dd07e6239f800a0fc17d47a8c003e3a36ed88f83db44a91d92a
                                                            • Instruction ID: 36c3d6617cd4af2a79d1d750f7a8f62ae953cbc5bd5202a4d3b83fbe1fa0981b
                                                            • Opcode Fuzzy Hash: 923b812e680f5dd07e6239f800a0fc17d47a8c003e3a36ed88f83db44a91d92a
                                                            • Instruction Fuzzy Hash: 8371527490421E9FCF10EBA5C889ADDBBB9FF44308F1041E6E508A7295DB34AE89CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00794720, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920,00000000), ref: 007947B6
                                                            • FindClose.KERNEL32(000000FF,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920), ref: 007947C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID: *.*$dxD
                                                            • API String ID: 2295610775-3064973229
                                                            • Opcode ID: f2b3fefebb37129a0a1e6f182d7a70ee6f754dab094e66b77317f835a39bf437
                                                            • Instruction ID: 1a731755e4436f46a0472c1f2d3eaa4540c5553183ac843544b75001628e15ed
                                                            • Opcode Fuzzy Hash: f2b3fefebb37129a0a1e6f182d7a70ee6f754dab094e66b77317f835a39bf437
                                                            • Instruction Fuzzy Hash: 61217F70904249AFDF11EBA4DC86EDEB7B8EF45304F5085AAE504A3291DB385E46CB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00412E5C, Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 132libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(PSAPI.dll,00000000,0041334D,00000000,00000000,00000000,?,00422706,00000104,00000000,0042275A,?,000003EE,00000004,00000000,00000000), ref: 00412E70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
                                                            • API String ID: 1029625771-2267155864
                                                            • Opcode ID: 6bac1b2b4a319ff33ccb8e8104650400bc02deb93b4b18c6396d2ce78b5e6f7a
                                                            • Instruction ID: e8ef9a16514465b5e6b2cf852d3bc01d448d5d354a81a289e54fbc754b55e648
                                                            • Opcode Fuzzy Hash: 6bac1b2b4a319ff33ccb8e8104650400bc02deb93b4b18c6396d2ce78b5e6f7a
                                                            • Instruction Fuzzy Hash: 6D41FAB8A40318AF9F00EFB69CC6A9537A8BB06705710056FB514DF3A4DA78DA81CB1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C2F0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000,00000000), ref: 0040C30E
                                                            • LeaveCriticalSection.KERNEL32(00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000), ref: 0040C332
                                                            • LeaveCriticalSection.KERNEL32(00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000), ref: 0040C341
                                                            • IsValidLocale.KERNEL32(00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09), ref: 0040C353
                                                            • EnterCriticalSection.KERNEL32(00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09), ref: 0040C3B0
                                                            • lstrcpynW.KERNEL32(en-US,en,,00000000,000000AA,00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA), ref: 0040C3CE
                                                            • LeaveCriticalSection.KERNEL32(00843B88,en-US,en,,00000000,000000AA,00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000), ref: 0040C3D8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
                                                            • String ID: en-US,en,
                                                            • API String ID: 1058953229-3579323720
                                                            • Opcode ID: 633940988bd0bd6c9b287c41c329676b3fc209daa88bbceb5542c180f6a54ac6
                                                            • Instruction ID: 840befadd27682b71f7f5cd4a757e932a44a81a62cff2673ef979b7a35d4f3a5
                                                            • Opcode Fuzzy Hash: 633940988bd0bd6c9b287c41c329676b3fc209daa88bbceb5542c180f6a54ac6
                                                            • Instruction Fuzzy Hash: 8421D834354708A7D7147BA68D57B1E3294EF85758F50453FB840F63D2CABC9D01929E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408ABC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AF5
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AFB
                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?), ref: 00408B16
                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75), ref: 00408B1C
                                                            • MessageBoxA.USER32 ref: 00408B3A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleWrite$Message
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 1570097196-2970929446
                                                            • Opcode ID: d55f0b3ec2b3309b3ec7c4b4bf2282798b450c2c57fb01e50abc9738b356a3b2
                                                            • Instruction ID: 883d27b1f089570435a1ec32665e41e73b0e3fe465dedc934fa18f7fcc10b570
                                                            • Opcode Fuzzy Hash: d55f0b3ec2b3309b3ec7c4b4bf2282798b450c2c57fb01e50abc9738b356a3b2
                                                            • Instruction Fuzzy Hash: 98F0A4A1A8024035FE107BA55E1EF56366CA751B19F10463FB160B56D2CABC68C4C619
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004039D8, Relevance: 10.9, APIs: 7, Instructions: 407COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff865de398dabf03235835d6a03df8d6bd4440262de3a292e4e093a064290b02
                                                            • Instruction ID: 06de5c44b1e8d66e5792396b36ef80cda03d3281113913fe30758daa7217e7fe
                                                            • Opcode Fuzzy Hash: ff865de398dabf03235835d6a03df8d6bd4440262de3a292e4e093a064290b02
                                                            • Instruction Fuzzy Hash: 3EC14A627106000BE714AE7D9D8972EBA8D9BC5326F18823FF144EB3D6DA7CDE458348
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407B44, Relevance: 10.6, APIs: 7, Instructions: 132threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00407F3C: GetCurrentThreadId.KERNEL32 ref: 00407F3F
                                                            • GetTickCount.KERNEL32 ref: 00407B7B
                                                            • GetTickCount.KERNEL32 ref: 00407B8D
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407BC0
                                                            • GetTickCount.KERNEL32 ref: 00407BE7
                                                            • GetTickCount.KERNEL32 ref: 00407C21
                                                            • GetTickCount.KERNEL32 ref: 00407C4B
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407CC1
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountTick$CurrentThread
                                                            • String ID:
                                                            • API String ID: 3968769311-0
                                                            • Opcode ID: 5369a3ff8cf9b08d90c4e116274b425cc6b0c131ff5b93987916801eede752e2
                                                            • Instruction ID: 505cc0ca4ebae022a0f1ed319f5fc283f6d826263fe70601ac970ffa21443408
                                                            • Opcode Fuzzy Hash: 5369a3ff8cf9b08d90c4e116274b425cc6b0c131ff5b93987916801eede752e2
                                                            • Instruction Fuzzy Hash: 88418F30A0C3444AE720AE7CC58832F7BD1AB85344F15893FE4D4A73C2DABCA881975B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005A6F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(shfolder.dll,00000000,005A6FF3), ref: 005A6F30
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            • GetDesktopWindow.USER32 ref: 005A6F69
                                                            • GetShortPathNameW.KERNEL32 ref: 005A6F96
                                                            • FreeLibrary.KERNEL32(00000000,00000000,SHGetFolderPathW,shfolder.dll,00000000,005A6FF3), ref: 005A6FD0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressDesktopFreeLoadNamePathProcShortWindow
                                                            • String ID: SHGetFolderPathW$shfolder.dll
                                                            • API String ID: 190074832-3387970553
                                                            • Opcode ID: 31a51a6c87f614c9f7c1187207f5dc5a0d7fce9b88a45971a8966e53014efcb9
                                                            • Instruction ID: ec3bacc96b391dfa64664bada29a1a1cad6acc7f1103c9f38b08fc0397cb3db3
                                                            • Opcode Fuzzy Hash: 31a51a6c87f614c9f7c1187207f5dc5a0d7fce9b88a45971a8966e53014efcb9
                                                            • Instruction Fuzzy Hash: 7021C775E4420AAFCB00EBA5DC51AAEBBB8FF46704F14447AF504F7294DB349E008B58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407900, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,00000001), ref: 00407916
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040791C
                                                            • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation,00000001), ref: 00407938
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: GetLogicalProcessorInformation$kernel32.dll$k
                                                            • API String ID: 4275029093-3824636038
                                                            • Opcode ID: bc1493411cf7a1fdcbc33e286c73cc8e5e4d51c8ea2d0e9cf86bcd57a426165a
                                                            • Instruction ID: 3ef7fc8a316c6a40be9ae1a577b33141ba89fc8532ffa234138abc26abf6d127
                                                            • Opcode Fuzzy Hash: bc1493411cf7a1fdcbc33e286c73cc8e5e4d51c8ea2d0e9cf86bcd57a426165a
                                                            • Instruction Fuzzy Hash: 72116AB1D0C204AEFB10EBA5DE45B5EB7A9EB44314F20447BE404B22C2D67DB940D66E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004225AC, Relevance: 9.2, APIs: 6, Instructions: 161fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileSize.KERNEL32(?,?), ref: 00422609
                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000001,00000000,?,?), ref: 0042269F
                                                            • MapViewOfFile.KERNEL32(000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000,00000001,00000000,?), ref: 004226CE
                                                            • GetCurrentProcess.KERNEL32(00000104,00000000,0042275A,?,000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000), ref: 004226F3
                                                            • UnmapViewOfFile.KERNEL32(00000000,00422761,?,000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000,00000001), ref: 00422754
                                                              • Part of subcall function 00422390: GetLogicalDriveStringsW.KERNEL32(00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223CD
                                                              • Part of subcall function 00422390: QueryDosDeviceW.KERNEL32(?,?,00000104,00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223F7
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$View$CreateCurrentDeviceDriveLogicalMappingProcessQuerySizeStringsUnmap
                                                            • String ID:
                                                            • API String ID: 435433801-0
                                                            • Opcode ID: 73ae006de74c5a6efbfeb4249140766e4eca8248ed6ba63f726dbea61ff99326
                                                            • Instruction ID: 4187adb91f966debfcf9f471d10a7bce2dda35d7e6eeff07d021d263234a0034
                                                            • Opcode Fuzzy Hash: 73ae006de74c5a6efbfeb4249140766e4eca8248ed6ba63f726dbea61ff99326
                                                            • Instruction Fuzzy Hash: 88518F70B04219BFDB10EFA5D985B9EB7B5EB48304F9044EAE504A7291D7B89E80CF58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00768D4C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 231fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNEL32(00000000,?,?,?,00000000,00000000,0000000B,00000000,00000000,00000001,?,007D984A,00000000,007D98E0), ref: 00768E99
                                                              • Part of subcall function 00424BD8: DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BE8
                                                              • Part of subcall function 00424BD8: GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BF7
                                                              • Part of subcall function 00424BD8: GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000), ref: 00424BFF
                                                              • Part of subcall function 00424BD8: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C1A
                                                            • MoveFileW.KERNEL32(00000000), ref: 00768F33
                                                              • Part of subcall function 0040717C: KiUserCallbackDispatcher.NTDLL(00408BE6,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00407184
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Attributes$CallbackDeleteDirectoryDispatcherErrorLastMoveRemoveUser
                                                            • String ID: *.*
                                                            • API String ID: 691102307-438819550
                                                            • Opcode ID: 67e84289ecff61f33034e0fd06d8d97b73431112671c936c531bd7e4000b6789
                                                            • Instruction ID: 0fa0777bf0979ef0c8522848ad50890eb5ff942d969ead750916ebb87b8794d9
                                                            • Opcode Fuzzy Hash: 67e84289ecff61f33034e0fd06d8d97b73431112671c936c531bd7e4000b6789
                                                            • Instruction Fuzzy Hash: 4691FC30A0010EAFDF01EBA9D845ACDB7B5FF58304F50856AF805B72A5DB35AE05CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0043446C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID: |>C
                                                            • API String ID: 1473721057-213533553
                                                            • Opcode ID: f77f160c4784674292fd838c38f5d47e98ced0e3141dfb1bc3a2e06e65c17674
                                                            • Instruction ID: 20914c188d6625644210769ee22846e9ff66e0570ff4a8d1b76d358979a87ea4
                                                            • Opcode Fuzzy Hash: f77f160c4784674292fd838c38f5d47e98ced0e3141dfb1bc3a2e06e65c17674
                                                            • Instruction Fuzzy Hash: 3D01D46070421086DB10AB25DA857E632985FAD308F20357BB0469B253CB7CFC46D76F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007DBD68, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D6E80: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 007D6E80: GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,?,?,00794AFA), ref: 007DBD90
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HandleModule$AddressCurrentProcProcess
                                                            • String ID: Win32$Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 4003494863-80893164
                                                            • Opcode ID: 08872e14f903e4fc870fbfef4b6a36aa4199ea15be0b445078baef3c9e14c768
                                                            • Instruction ID: b85d9e4078d9ce42f5daec457a4bd7b584622aa0e684e5eccdb4b4bfda696b28
                                                            • Opcode Fuzzy Hash: 08872e14f903e4fc870fbfef4b6a36aa4199ea15be0b445078baef3c9e14c768
                                                            • Instruction Fuzzy Hash: 30E02B20B41350E5CE10A7B598167A507B61E4DF8870A0427FD80A73D3DB5CCC0159E8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007DBE3C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 007D6E80: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 007D6E80: GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,?,?,00794B5A,00794B62), ref: 007DBE64
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HandleModule$AddressCurrentProcProcess
                                                            • String ID: Win32$Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 4003494863-74661203
                                                            • Opcode ID: 4b5169e114a068f3f1820069252d1bfd3dd91b72d2f48b51fada0d1a3b731179
                                                            • Instruction ID: 5d07d555bf60436f01e20604474d777d017adacec3ea30256a2cc30a8457dad9
                                                            • Opcode Fuzzy Hash: 4b5169e114a068f3f1820069252d1bfd3dd91b72d2f48b51fada0d1a3b731179
                                                            • Instruction Fuzzy Hash: CDF0E561A013B0D5CE2063795815EE21FB82B45748F0A0927BF8097793D72CCC0D82A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 007D6E80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            • GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressCurrentHandleModuleProcProcess
                                                            • String ID: IsWow64Process$kernel32
                                                            • API String ID: 4190356694-3789238822
                                                            • Opcode ID: fbfa8b9be56232b2a7a050497b9336513c0f72992db566346c55723fb6780570
                                                            • Instruction ID: 8f20da8456057496d7b22a05698da9075f8360932483dc278fb67f6f45ead45b
                                                            • Opcode Fuzzy Hash: fbfa8b9be56232b2a7a050497b9336513c0f72992db566346c55723fb6780570
                                                            • Instruction Fuzzy Hash: 7FE012BE7647436E6E0077F79C82D6B17AC9A90359710093BF540D0252EAADC855102D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C1D4, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C1E5
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040C243
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040C2A0
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040C2D3
                                                              • Part of subcall function 0040C190: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040C251), ref: 0040C1A7
                                                              • Part of subcall function 0040C190: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040C251), ref: 0040C1C4
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Thread$LanguagesPreferred$Language
                                                            • String ID:
                                                            • API String ID: 2255706666-0
                                                            • Opcode ID: bc24a83227e15b380631f55bd2f426ee2f9d90468bb3ecff20a5d0c17074213b
                                                            • Instruction ID: 5adc0bea2c8af2d65c5d3e99b3eb73bb67b06f85e1b4683f9ecad5d3c1eab476
                                                            • Opcode Fuzzy Hash: bc24a83227e15b380631f55bd2f426ee2f9d90468bb3ecff20a5d0c17074213b
                                                            • Instruction Fuzzy Hash: 42310A70E0021ADBDB10EBE9C885AAFB7B8FF48314F4046BAE551F7295D7789A04CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424AC0, Relevance: 6.1, APIs: 4, Instructions: 55timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindNextFileW.KERNEL32(?,?), ref: 00424AD1
                                                            • GetLastError.KERNEL32(?,?), ref: 00424ADA
                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
                                                            • FileTimeToDosDateTime.KERNEL32 ref: 00424B01
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileTime$DateErrorFindLastLocalNext
                                                            • String ID:
                                                            • API String ID: 2103556486-0
                                                            • Opcode ID: 9609eb00e04a689bd71bdebf9600531a51fed77c8bea1292b3844d585f781882
                                                            • Instruction ID: fe6fac3a6ac03b6b4440619cae4f2eff92646066b65c4be4ccf9c54d9b613497
                                                            • Opcode Fuzzy Hash: 9609eb00e04a689bd71bdebf9600531a51fed77c8bea1292b3844d585f781882
                                                            • Instruction Fuzzy Hash: 5411ADB1700100AFDB44DF69C8C199777ECEF8834475485ABED04CB24EE638DC018BA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004580E4, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceW.KERNEL32(00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?,?,00000000,?,00451E89), ref: 004580FB
                                                            • LoadResource.KERNEL32(00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?,?,00000000), ref: 00458115
                                                            • SizeofResource.KERNEL32(00000000,00458180,00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?), ref: 0045812F
                                                            • LockResource.KERNEL32(00456D84,00000000,00000000,00458180,00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000), ref: 00458139
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: 414d090d51e5c97bb2d7871269b0df026c3f90b3cc5e867df6ac2b737ce49eed
                                                            • Instruction ID: ade0e4e0a8cbb3b7b760c1b632ec3f7ae6df1f7590847d81dfa81050c3fea11b
                                                            • Opcode Fuzzy Hash: 414d090d51e5c97bb2d7871269b0df026c3f90b3cc5e867df6ac2b737ce49eed
                                                            • Instruction Fuzzy Hash: 95F04BB26056046F4B44EF6EA881DAB77DCEE88265314016FFE18D7203EE39DD058378
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004059B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: oY@$X(
                                                            • API String ID: 0-2454232136
                                                            • Opcode ID: a3635da41d6ada84ed8f10af34513a83174d4b8c9a070eb1340295e14fa243af
                                                            • Instruction ID: 657c74bf76a079fdf93a688482b863b4ef09bc5b766970fd558e04562a456c78
                                                            • Opcode Fuzzy Hash: a3635da41d6ada84ed8f10af34513a83174d4b8c9a070eb1340295e14fa243af
                                                            • Instruction Fuzzy Hash: F351D431A045A88BCB11DB69C4957AF7BB4DF51304F0801BB9885BB2C7D63C9E05DFA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424358, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0042483C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
                                                            • GetVolumeInformationW.KERNEL32(00000000,?,00000104,?,?,?,?,00000104,00000000,0042448C,?,00000000,?), ref: 004243F3
                                                            • GetDriveTypeW.KERNEL32(00000000), ref: 00424418
                                                              • Part of subcall function 004247A4: GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 004247B5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile$DriveInformationTypeVolume
                                                            • String ID: d5A
                                                            • API String ID: 2660071179-326437214
                                                            • Opcode ID: 2fa643a2496d0fd72efea3c911f6a909d600cda9c01ece4b0853edc21ea82aae
                                                            • Instruction ID: bd563c539b1aab59f9bd9d3b06265d9c66015eb71dfd5a6194938a33824a214f
                                                            • Opcode Fuzzy Hash: 2fa643a2496d0fd72efea3c911f6a909d600cda9c01ece4b0853edc21ea82aae
                                                            • Instruction Fuzzy Hash: CE31D870B002285ADB11FB55E8427DD77A8EF84708FC441ABE904A3292DB3C5F45DE5C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00434D0C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantCopy.OLEAUT32 ref: 00434D2D
                                                              • Part of subcall function 0043446C: VariantClear.OLEAUT32 ref: 0043447B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Variant$ClearCopy
                                                            • String ID: |>C
                                                            • API String ID: 274517740-213533553
                                                            • Opcode ID: 8771a4346e2b20afc04fff4dabda3d31eb32952cc78d6270db85b0f1906f051e
                                                            • Instruction ID: 6a0268472f155fb589513e0d0a9dd18b4d2ee9e8d712b2481dc583d533d54a34
                                                            • Opcode Fuzzy Hash: 8771a4346e2b20afc04fff4dabda3d31eb32952cc78d6270db85b0f1906f051e
                                                            • Instruction Fuzzy Hash: 9B21743030021097DB31AF29E4815E777E69FCD750F10A46BE84A8B356DA3CEC82C66E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004224C8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL,NtQueryObject,00000000,00000000), ref: 004224EE
                                                              • Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: NTDLL.DLL$NtQueryObject
                                                            • API String ID: 1646373207-3865875859
                                                            • Opcode ID: 39398ca4bf87bed804ca7380330e155dc5bba8e055c56731faf510cc40fa8a3d
                                                            • Instruction ID: 9e746bf49908d423d3971de1d80f05601bd15af5f2909352a40ec1968959bb51
                                                            • Opcode Fuzzy Hash: 39398ca4bf87bed804ca7380330e155dc5bba8e055c56731faf510cc40fa8a3d
                                                            • Instruction Fuzzy Hash: B511D075B04218BFDB10EB69ED42B9A77A9F748704F908166F504E2690D7B9AF80C64C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00727788, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 007277C9
                                                            • EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,00727CFF,?,?,?,00000000,00000000,?,0079430B,00000000,00000000,00000064,00000000), ref: 007277E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountCriticalEnterSectionTick
                                                            • String ID: MYAH_LastDelegateTick
                                                            • API String ID: 3768448988-2068939020
                                                            • Opcode ID: f31822922213138ce3fe090be8c89be9b548e68764eb31a017cd2d7e69c75ab1
                                                            • Instruction ID: 95fd4d6d8b0e3682352c819f8c199af7319d83189056b2244fd3ddde9cc2d5dd
                                                            • Opcode Fuzzy Hash: f31822922213138ce3fe090be8c89be9b548e68764eb31a017cd2d7e69c75ab1
                                                            • Instruction Fuzzy Hash: 7B119A74A00318AFDB04DBA9DD52E9DB7F9FB89704F504476F804E7391DA38AE00CA10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00430448, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetACP.KERNEL32(0047861C,00000000), ref: 00430464
                                                            • GetCPInfo.KERNEL32(00430548,?,0047861C,00000000), ref: 00430485
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID: L.A
                                                            • API String ID: 1807457897-2350765468
                                                            • Opcode ID: f1b999f04b8e8a33df948de643add4a0adb174aea7c6854597c24c0f6f97d03b
                                                            • Instruction ID: 72b6eb4a1d13dc2dce76246ebe218213dd2c0921c4328f3486b9e526878d4afa
                                                            • Opcode Fuzzy Hash: f1b999f04b8e8a33df948de643add4a0adb174aea7c6854597c24c0f6f97d03b
                                                            • Instruction Fuzzy Hash: 2C014972A017058FC320EF69C541997B7E4AF18360B00863FFD95C3361EA39E9008BAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00595640, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,005956AB,?,00000001,00000001,00000000,?,005957A1,00000000,005957C6,?,00000000,00000000,00000000), ref: 00595661
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,005956AB,?,00000001,00000001,00000000,?,005957A1,00000000,005957C6,?,00000000), ref: 0059568A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.405866393.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000009.00000002.405796201.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.405849149.0000000000415000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409360950.0000000000830000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409377806.0000000000831000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409465653.0000000000832000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409500801.0000000000834000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409526425.0000000000837000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409571613.0000000000840000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409589822.0000000000841000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409633677.0000000000845000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409649541.0000000000857000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409670358.000000000085B000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409688459.000000000085F000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409740067.00000000008B6000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409868126.00000000008FB000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000009.00000002.409886694.0000000000909000.00000002.00020000.sdmp Download File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_400000_LI-180_Installer.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateDirectory
                                                            • String ID: \\?\
                                                            • API String ID: 4241100979-4282027825
                                                            • Opcode ID: e0a3bdc70c04e78168105b659149bbbb16886a6d6c0cca47080108260c0900a7
                                                            • Instruction ID: 9f5430ab1e94a2cdd9dae8f072e860b2ef55c5aa2821298d1840839241b5f79c
                                                            • Opcode Fuzzy Hash: e0a3bdc70c04e78168105b659149bbbb16886a6d6c0cca47080108260c0900a7
                                                            • Instruction Fuzzy Hash: CFF0F0702447047BDF11EBA5CCA2B9D76DDEB86B08F91083AF400E35D1EA799D104669
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%